Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I-Frame Injection Vulnerability in Evolution CMS 2.0.x #1042

Closed
prasadlingamaiah opened this issue Mar 22, 2019 · 2 comments
Closed

I-Frame Injection Vulnerability in Evolution CMS 2.0.x #1042

prasadlingamaiah opened this issue Mar 22, 2019 · 2 comments
Assignees

Comments

@prasadlingamaiah
Copy link

I-Frame Injection Vulnerability

Risk Description
Malware Attackers use this IFrame and include the malware websites. They are able to include the webpage one-pixel square (You won’t able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6C%20%66%72%61%6D%65%62%6F – leaving no obvious clue that it’s malicious. Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more.

POC

Login to Evolution CMS application
1 login page

Goto the template location and try to create New template
1 edit template

insert the payload in description location, template name as "/><iframe/src="https://evil.com"></iframe>
1 edit template

save and close the template.
sabve and close

Now open the template list like below you will get Iframe which is running malicious.
1

Mitigation:

1.      you should include the Content Security Policy frame-ancestors header in your HTTP response to prevent your website being loaded in a frame. Some older browsers may not have support for this header, so also use the X-Frame-Options header with value DENY, SAMEORIGIN or ALLOW-FROM uri. X-Frame-Options takes precedence over CSP frame-ancestors in some browsers. 2.      You could additionally have some Javascript "frame-breaker" code that will prevent your website from being "framed" in older browsers. •          Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){      final StringBuffer result = new StringBuffer();      final StringCharacterIterator iterator = new                                     StringCharacterIterator(aTagFragment);      char character =  iterator.current();      while (character != StringCharacterIterator.DONE )      {        if (character == '<')  result.append("<");        else if (character == '>') result.append(">");        else if (character == '"')  result.append(""");        else if (character == ''')  result.append("'");        else if (character == '\') result.append("\");        else if (character == '&')  result.append("&");        else {             //the char is not a special one             //add it to the result as is             result.append(character);        }        character = iterator.next();      }      return result.toString();   } •          Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );   •          Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) {     strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,"");     return strTemp; }

@AgelxNash AgelxNash self-assigned this Mar 22, 2019
@modwebpl
Copy link

modwebpl commented Apr 8, 2019

Payload will execute as separately environment cause its "iframe policy" so there is no worry about this =].

So in fact <iframe src="evil.com/shell.php"> will run shell.php on remote evil.com instead of Evolution server and JS does don't have a privilege to inject self in local DOM object :)

@AgelxNash
Copy link

The fix is contrary to the access policy in the administration panel. Having access to create templates / snippets / chunks or plug-ins, you can execute arbitrary code. Therefore, XSS is not something that we should worry about.

@prasadlingamaiah prasadlingamaiah changed the title I-Frame Injection Vulnerability I-Frame Injection Vulnerability in Evolution CMS 2.0.x Aug 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants