exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Xenforo Forum CMS 1.5.13 Cross Site Scripting

Xenforo Forum CMS 1.5.13 Cross Site Scripting
Posted Jul 3, 2017
Authored by Project Insecurity, MLT | Site insecurity.zone

Xenforo Forum CMS version 1.5.13 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 04a95493c65f2b52a034c87996556426ca17319df8588bae58b311116569aafc

Xenforo Forum CMS 1.5.13 Cross Site Scripting

Change Mirror Download
           ______  ______   _____     ___   _____   _____   _____              
| ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _|
| |_/ / | |_/ / | | | | | | | |__ | / \/ | |
| __/ | / | | | | | | | __| | | | |
| | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | |
\_| \_| \_| \___/ \____/ \____/ \____/ \_/


_____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __
|_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / /
| | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V /
| | | . ` | `--. \ | __| | | | | | | | / | | | | \ /
_| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | |
\___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/


[+]---------------------------------------------------------[+]
| Vulnerable Software: Xenforo Forum CMS |
| Vendor: https://xenforo.com |
| Vulnerability Type: Persistent XSS (authenticated) |
| Date Released: 07/04/2017 |
| Released by: MLT |
[+]---------------------------------------------------------[+]

There is a stored XSS Vulnerability affecting the alert system for XenForo CMS. It allows an authenticated attacker
to create specialized payloads that are highly flexible in terms of who they want to target. It also allows an
attacker to replace the contents of the index page despite this not being possible via regular admin access. Payloads
can be 'timed', meaning that an attackers code can execute even AFTER they've lost access to their account with privs.

This is a low impact bug due to the fact that a mod/admin account is required on the forums in order to trigger
the vulnerability, but it still has a few 'legitimate' uses which i'm about to explain. I know you're probably
thinking "what's the point in having a stored XSS if I already have admin access?" - well, there are actually a
few different ways in which this comes in handy:

First off, If someone wanted to hack a website running XenForo and they gained access to an admin account, they
would be somewhat limited as to what they could do. For example it would not be possible to 'deface' the site simply
from an admin account (unless they figured out a method of spawning a shell via the admin panel). At most, all an
admin would be able to do is edit the page title and names of the forum boards in order to 'deface' the site.. but
via this method an admin would be able to replace the page content with their own HTML/CSS/JS via document.write();
this would allow for a full-blown defacement to take place rather than just some board names and the theme being changed.

Another use of this attack is the sheer level to which you can make it targeted. Want to only hit moderators with
your payload? No problem. Want to only hook the browsers of users who have reg'd within the past 48 hours? No problem.
Due to the nature of XenForo's alert system, you can choose exactly who you want your payloads to target. There are
a lot of filters available allowing you to choose whether your payload executes for a specific target user or whether
your payload executes for every single user of the site. You can also choose the time you want your payload to execute,
like a cronjob (this has another use which I'll describe in a moment)

This method is a quick way for an attacker who has limited ACP access to target a sites entire userbase.

Consider the following situation which would be typical of a xenforo 'hack':
- Attacker manages to bruteforce or phish a mod/admin login
- Attacker bans some users, messes with permissions, changes the forum board names
- Admin resets access, reverts forum to original settings and attack is over

Now, consider the same situtation but utilizing this XSS:
- Attacker manages to bruteforce or phish a mod/admin login
- Attacker sends out a payload targeting the entire sites userbase
- Users (including other mods/admins) have their browsers hooked, spear phished, infected with malware, etc
- Attacker sets up a new alert, this time set to execute in 24 hours time
- Admin resets access, reverts forum to original settings
- Admin spends forever making sure other mods/admins accounts are safe and that they're not infected etc
- Admin is finally sure that the attack is over, happy that no accounts are compromised
- 24 hours later, Attackers timed payload executes, causing an admin acccount to be hijacked
- Back to step 1 :PpPpPp

This persistent XSS allows for _persistence_ in the true sense, if you create specially crafted payloads then it will
act as a 'backdoor' of sorts in the cases where spawning a webshell is out of the question. The fact you can make your
payloads ridiculously specific in terms of who you're targeting allows you to pwn the necessarry accounts while keeping
your attack hidden from other users (or allows you to pwn the entire userbase if you're feeling especially nasty). That,
along with the fact that you can choose WHEN you want your payloads to execute (and they'll still execute even after you
lose access) means that this can be very useful for persistence and maintaining access to a target system after an
initial foothold is gained. For an inexperienced administrator, this can be almost as useful as having shell access to
the target site.

There are actually two injection points here (one within HTML editor and the other within the link parameter for
alerts) - For a real-world attack, someone would be more likely to use the link paramater. The reasoning for this
is because it isn't included in the page source... this means that:

A) It won't be caught by browsers XSS auditors (It's redirecting to javascript:)
B) There won't be any give-away signs on the page (e.g. broken HTML, visual discrepancies)

So, to trigger the XSS (once you've got admin access), you'd do the following steps:

-> Navigate to ACP
-> Navigate to 'Users'
-> Navigate to 'Contact Users'
-> Click 'Alert Users'
-> Add 'javascript:yourPayload();' into the 'Link URL' input box
-> Scroll down and choose exactly who you want your payload to target and what times you want
it to execute
-> Click 'Continue'
-> Click 'send alert'

It will then send out alerts to all of the users that you specified within the ACP (or ALL users if you choose
that as your option). As soon as the user clicks to see what the new notification is, the payload is executed.
-------------------------------------------------------------------------------------------------------------

P.S. - This is just a minor bug to whet your appetite. You can expect two CRITICAL 0days for XenForo very soon :)

-------------------------------------------------------------------------------------------------------------

How to fix: Sanitize inputs, ensure httponly and other necessary security headers are set

[+]---------------------------------------------------------[+]
| CONTACT US: |
| |
| IRC: irc.insecurity.zone (6667/6697) #insecurity |
| Twitter: @insecurity |
| Website: insecurity.zone |
[+]---------------------------------------------------------[+]
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close