search

getgrav / grav-plugin-admin

Grav Admin Plugin
http://getgrav.org
MIT License
355 stars 227 forks source link

GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting Vulnerability #1128

Closed ahsan-tahir closed 7 years ago

ahsan-tahir commented 7 years ago

Exploit Title: GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting

Date: 2017-06-07

Exploit Author: Ahsan Tahir

Vendor Homepage: https://getgrav.org/

Software Link: https://getgrav.org/download/core/grav-admin/1.2.4

Version: 1.4.2

Tested on: [Kali Linux 2.0 | Windows 8.1]

Email: mrahsan1337@gmail.com

Contact: https://twitter.com/AhsanTahirAT

Release Date:

2017-06-07

Product & Service Introduction:

Grav is built and maintained by a team of dedicated and passionate developers, designers and users. As Grav is an open source project we greatly appreciate user contribution and commitment. These are the key folks that make this all possible.

Abstract Advisory Information:

Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2)

Vulnerability Disclosure Timeline:

2017-06-07: Found the vulnerability. 2017-06-07: Reported to vendor. 2017-06-07: Published.

Discovery Status:

Published

Exploitation Technique:

Remote

Severity Level:

Medium

Technical Details & Description:

The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context.

Proof of Concept (PoC):

The persistent input validation vulnerability can be exploited by restricted user accounts with low user interaction. For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.

Payload (Exploitation): Click Me

[+] Manual steps to reproduce ..

  1. Login with the admin or editor account in GravCMS
  2. Go to edit page option (e.g http://127.0.0.1/cms/grav-admin/admin/pages/home)
  3. Put the payload "Click Me" (without quotes) in the content of page
  4. Save Page!
  5. Go to the index page (e.g http://127.0.0.1/cms/grav-admin/)
  6. Click on "Click Me"
  7. The Javascript execution occurs - Successful reproduce of the persistent cross site scripting vulnerability!

Credits & Authors:

Ahsan Tahir - [https://twitter.com/AhsanTahirAT]

w00fz commented 7 years ago

Hello Ahsan, I'm failing to understand where the XSS applies in this. Are you saying that you can type any JavaScript in the Content field of a page in Admin and that it would render and execute on frontend for that page?

Perhaps you didn't put in code block the payload but from here I don't see any JavaScript in the "Click Me" PoC.

Anyway appreciate the report, I would probably suggest to contact us privately next time, just to give us a little time to investigate at least. As this stand right now, my understanding is that you say the Content field of a page allows JS, this is really not considerable an exploitable field though. It's purposely allowing the authenticated user, with the proper access level tokens, to be able to edit the content and add images, html, css as well as js.

Thanks!

ahsan-tahir commented 7 years ago

Okay! Buy hey, I found a way to upload .php files in the server through the admin profile picture, should I report it? (It also requires admin access) ..

rhukster commented 7 years ago

Please report that as a new bug please. Don't need to get all dramatic with security alerts. We'll just check to ensure images are only supported.