A trio of XSS bugs in open-source web applications could lead to a complete system compromise


Evolution CMS, FUDForum, and GitBucket vulnerabilities chained together for maximum impact

Researchers have released details of a trio of cross-site scripting (XSS) vulnerabilities in popular open-source applications that could lead to remote code execution (RCE).

The security bugs, discovered by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.

A traditional XSS attack allows the attacker’s JavaScript code to be executed in the victim user’s browser, opening the door to cookie theft, redirection to a phishing site, and more.

Web security researcher Aleksey Solovev said The daily sip that this research, detailed in The PT Swarm Blogrelates to how “the combination of the discovered possibility of carrying out an XSS attack and the integrated file manager (or the execution of an SQL query) in the administration panel can lead to a complete compromise of the system “.

Triple Threat

The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to conduct a thoughtful XSS attack in multiple locations in the admin panel.

“An attacker could try to force a system administrator to follow a malicious link via social engineering, which would lead to execution of malicious JavaScript code in the attacker’s browser,” Solovev said. The daily sip.

“The consequence would be a complete system compromise by overwriting the executable file using the built-in file manager.”

Learn more about the latest web security research here

A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out an XSS attack stored in the name of the file attachment in private messages.

“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” Solovev said.

“When this message is read by the administrator, their browser executes the JavaScript code and, using the built-in file manager, an executable file is created which allows the attacker to execute commands on the server.”

Finally, in GitBucket v4.37.1, a security bug was discovered that could allow an attacker to carry out an XSS attack stored in “multiple places”, according to Solovev.

An attacker needed to create an issue in a public repository and inject JavaScript into the assignment name.

This event would be displayed in the general feed and the attacker’s profile. It is in these places that the insecure display of the task name with a malicious payload was present, which led to the execution of JavaScript code in the browser of everyone who viewed these pages.

“In the admin panel, it was possible to run SQL code based on the H2 database engine, for which there is already an exploit that allows running a command on the server,” Solovev explained.

“Putting it all together, an attacker could attack the admin and gain the ability to run commands on the server.”

Patches released

All three vulnerabilities are pending CVE but have been fixed by project managers, Solovev said. The daily sip.

The researcher added that the main difficulty in discovering these flaws was to find the possibility of carrying out an XSS attack.

“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.

You can find more information about the vulnerabilities and the technical details of the exploit in The PT Swarm Blog.

YOU MIGHT ALSO LIKE GitHub Actions Workflow Flaws Provided Write Access to Projects Including Logstash


Comments are closed.