SEC Consult Vulnerability Lab Security Advisory < 20200225-0 > ======================================================================= title: Multiple Cross-site Scripting (XSS) Vulnerabilities product: PHP-Fusion CMS vulnerable version: 9 - 9.03 fixed version: 9.03.30 CVE number: - impact: Medium homepage: https://www.php-fusion.co.uk found: 2019-12-09 by: M. Ali (Office Malaysia) N. Ramadhan (Office Malaysia) W. Ikram (Office Malaysia) R. Jaafar (Office Malaysia) S. Maskan (Office Malaysia) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "PHP-Fusion is a lightweight open source content management system (CMS) written in PHP." Source: https://github.com/php-fusion Business recommendation: ------------------------ Update to the latest version of PHP-Fusion. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1. Stored XSS vulnerability This vulnerability within PHP-Fusion allows an attacker (user with edit post capability) to inject malicious client side scripting code which will be executed in the browser of a user with "Error Log" access privilege (usually administrator or super administrator). 2. Reflected XSS vulnerability This vulnerability within PHP-Fusion allows an attacker to inject malicious client side scripting code which will be executed in the browser of users. Proof of concept: ----------------- 1. Stored XSS vulnerability a) Edit Blog Post Function This vulnerability can be exploited by an attacker with "edit post" capability. By editing a blog post, malicious script code can be injected through the affected parameters (defined below). When saving the changes made, the application will store the XSS payload in the database as an error (table _errors). Then, the application will load all the errors to notify the administrator in the "Error Log" notification module. The XSS payload will get executed on any page since it was the application behavior loading all the errors on any page as long as the affected user's session is active. Below is the example on how the XSS issue can be exploited. URL : http://$DOMAIN//fusion/infusions/blog/blog_admin.php?aid=&action=edit§ion=blog_form&blog_id= METHOD : POST PAYLOAD: '> PARAMETER: blog_image, blog_image_t1, blog_image_t2 Content-Type: multipart/form-data; boundary=---------------------------247592002319215 Content-Length: 3051 Origin: http://$DOMAIN Connection: close Referer: http://$DOMAIN/fusion/infusions/blog/blog_admin.php?aid=&action=edit§ion=blog_form&blog_id=2 Cookie: [snip] [snip] -----------------------------247592002319215 Content-Disposition: form-data; name="blog_image" pp.jpg'> [snip] 2. Reflected XSS vulnerability a) Preview Function This vulnerability can be exploited by an unauthenticated attacker. The XSS payload is injected in the preview.ajax.php script through the parameter "text". Below is the example on how the XSS issue can be exploited through CSRF. URL : http://$DOMAIN//includes/dynamics/assets/preview/preview.ajax.php METHOD : POST PAYLOAD: Create a HTML file with content as below and open it with browser.
Vulnerable / tested versions: ----------------------------- PHP-Fusion version 9.03.00 has been tested, which was the latest version available at the time of the test. Vendor contact timeline: ------------------------ 2019-12-10: Contacting vendor by email technical@php-fusion.co.uk, sales@php-fusion.co.uk billing@php-fusion.co.uk, management@php-fusion.co.uk 2019-12-11: Vendor lead developer contact SEC Consult via Whatsapp and ask to send the detail unencrypted to his email chan@php-fusion.co.uk Email sent to the lead developer on the same day. 2020-01-23: Vendor fixed the reported issues, but it can be bypassed. SEC Consult informed the Lead Developer via Whatsapp. The lead developer requests extension (3 weeks). Latest possible release date changed to 24th Feb 2020. 2020-02-01: Vendor fixed issue no. 2 (Reflected XSS). Issue no. 1 (Stored XSS) remains unfixed. 2020-02-04: Vendor informed fixed version available on github page. 2020-02-11: Vendor requested two weeks to inform their users to update their websites. Latest possible release date changed to 25th Feb 2020. 2020-02-11: Requesting CVE ID, only automatic reply with request ID 2020-02-21: Asking for CVE ID again, no reply 2020-02-25: Public release of security advisory Solution: --------- The fixed version 9.03.30 is available at the vendor's download section: * https://www.php-fusion.co.uk/php_fusion_9_downloads.php Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF M. Ali, W. Ikram, S. Maskan, N. Ramadhan, R. Jaafar / @2020