2 août 2021

[CVE-2021-26545] [CVE-2021-26546] [CVE-2021-26547] [CVE-2021-26548] [CVE-2021-28932] [CVE-2021-31413]: Multiple vulnerabilities within a press relations solution v5.2.38.1.1

Introduction

A few months ago, BSSI performed a penetration test against a client’s press relations solution application.

This article describes five vulnerabilities discovered by the BSSI audit team during this penetration test. They affect the press relations solution application (version 5.2.38.1.1).

The solution’s administrative interface makes it simple to administer and configure a public relations web site:

Figure 1 : Administrative interface of the application

During the penetration tests, the auditors found that 6 values were not encoded before being reused by the application. The lack of filtering on these values allows an attacker to inject arbitrary JavaScript code which is then executed on the client side.

First vulnerability – JavaScript injection (XSS) on the admin dashboard page (CVE-2021-26545)

The first vulnerability allowed an authenticated attacker to inject malicious code running on the client side (JavaScript) into web pages visited by other administrators (stored XSS).

Tests conducted by the auditors revealed a parameter vulnerable to Cross-Site Scripting (XSS) injections. It was identified in the admin dashboard page of the administration interface (https://REDACTED.XXX.link/dashboard).

The first vulnerable field was the title of the articles. A firewall (NinjaFirewall WP+) did prevent injecting a complete malicious payload in this field, but it has been possible to bypass this protection by injecting the beginning and the end of the malicious payload in two different article titles:

Figure 2 : Splitting the payload bypasses the firewall

When the dashboard was displayed, the malicious payload was reconstructed and then executed:

Figure 3 : the malicious payload was reconstructed

Second vulnerability – JavaScript injection (XSS) on an article page (CVE-2021-26546)

The second vulnerable field was img_caption, the caption of the images of the articles. The Content Security Policy (CSP) did prevent injecting a script from untrusted sources, but it has been possible to bypass this protection by using a callback function hosted in a trusted domain:

Figure 4 : Using a callback function hosted in a trusted domain can bypass the CSP

When the article was accessed by any user, the malicious payload was executed:

Figure 5 : img_caption field was not sanitized

Third vulnerability – JavaScript injection (XSS) on an article page (CVE-2021-26547 and CVE-2021-26548)

Two more vulnerable parameters have been found during the audit. The two fields content and cp_teaser weren’t sanitized before being reused in a json formatted JavaScript. The payload needed to be formatted in a specific way so that the preexistent script was still a valid json format and can be rendered:

Figure 6 : cp_teaser and content fields were not sanitized

When the article was accessed by any user, the malicious payload was executed:

Figure 7 : Cross Site Scripting in an article

Fourth and fifth vulnerabilities – JavaScript injection (XSS) on an article page (CVE-2021-28932 and CVE-2021-31413)

Last two vulnerable fields have been detected. The overtitle and the subtitle (cp_overtitle & cp_subtitle1) fields of the articles:

Figure 8 : Two more vulnerable fields in an article

Payload like <META HTTP-EQUIV= »refresh » CONTENT= »0;url=https://evil.com »> could have redirected instantly any user to a malicious website.

Conclusion

Upon discovery of the vulnerabilities, the BSSI auditing team contacted and reported the vulnerabilities to the DevOps team (responsible for the product). A patch was made available on March 23rd, 2021 (corresponding to version 5.2.38.1.2). This patch effectively fixes 3 of the vulnerabilities although there is no public changelog. On June 29th, 2021, the solution add a firewall to fixes the two last vulnerabilities.

Those vulnerabilities are now known as CVE-2021-26545, CVE-2021-26546, CVE-2021-26547, CVE-2021-26548, CVE-2021-28932 and CVE-2021-31413.

Timeline

01/15/2021 – Discovery of the vulnerabilities
01/19/2021 – First contact with the development team
01/02/2021 – CVE ID Request sent to the Mitre
01/02/2021 – 4 CVE ID assigned by the Mitre
02/09/2021 – Contact with the development team
03/02/2021 – Contact with the development team
03/02/2021 – The vulnerabilities are pretended to be fixed
03/04/2021 – Correction verification (1/3 patched) + Discovery of new vulnerabilities (2 vulnerabilities)
03/19/2021 – Contact with the development team
03/23/2021 – The vulnerabilities are pretended to be fixed using the patch V5.2.38.1.2
03/24/2021 – Correction verification (3/5 patched)
04/08/2021 – Contact with the development team
04/16/2021 – CVE ID Request sent to the Mitre
04/16/2021 – 2 CVE ID assigned by the Mitre
05/21/2021 – Contact with the development team
05/21/2021 – The vulnerabilities are pretended to be fixed
05/21/2021 – Correction verification (3/5 patched)
06/29/2021 – The vulnerabilities are pretended to be fixed using a firewall
06/29/2021 – Correction verification (3/5 patched)
06/29/2021 – The vulnerabilities are pretended to be fixed using a firewall with new rules
06/30/2021 – Correction verification (5/5 patched)
08/02/2021 – Vulnerability disclosure (notification + 151 days from the last discovery)

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *