[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] SiteVision Insufficient Module Access Control
From: Oscar Hjelm <Oscar.Hjelm () cybercom ! com>
Date: 2019-12-05 18:45:30
Message-ID: 8C22900E-9741-463A-BDEA-D9A55C28F7A7 () cybercom ! com
[Download RAW message or body]
# SiteVision Insufficient Module Access Control
CVE-2019-12734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12734
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/
## Summary
Attackers may inject non-authorised modules when editing pages using a low-privilege account, \
leading to impacts ranging from Cross-Site Scripting to Remote Code Execution.
## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing \
platform SiteVision.
## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.
## Technical Details
This vulnerability allows remote code execution as described in CVE-2019-12733.
Modules are basic building blocks in SiteVision pages and templates; they can feature display \
content such as headings and paragraphs, social functions and commenting, raw HTML, or \
server-side scripts.
The SiteVision application does not sufficiently assert whether or not the current user is \
authorised to add a specific module type to the current page, allowing attackers with \
low-privilege to add hostile content. This can trivially be reproduced by adding a paragraph \
text module, and changing "text" to "html" (or any other type) in the outgoing HTTP request. \
The application does not check whether or not the user is authorised to add the requested \
module; it relies on the fact that the user interface does not expose a button for it.
Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:
1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from \
"text" to "html". The following is the resulting request for our demo environment:
```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]
{"portletType":"html","relativeElement":"12.549514a216b1c6180f41d0"}
```
7. Edit the HTML module and inject any JavaScript payload such as `<script>alert(1)</script>`.
8. Under "Other" check "Show in edit mode".
9. Press "OK".
10. Note the alert pop-up, indicating that the injected JavaScript was executed.
## Vulnerability Disclosure Timeline
2019-06-03 - Disclosed to vendor
2019-06-04 - Vendor confirms vulnerability
2019-09-26 - Vendor issues patches
2019-12-04 - Public disclosure
Oscar Hjelm
Cybercom Sweden
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfx/T/YNrWD4rBPyqg+SsDAr3WFAFAl3pUEkACgkQg+SsDAr3
WFBG/xAAgXeQJ6VQhv40w+qLk+LwGdel93SfLloxu10xvsRyAsOItealjph7FPLl
T5unH5JfSK9Re2T0mt69NZZdytIjvec3YOmsQmhijtoGiq3wyFzNB5TtTnmkqBIn
b2E6lPcRzgYkT3iZT/JJ+MysOm7hs94oicnKStVSIk8Dn2+JWnRVIr5XUEWnZvcZ
hXJusMH4GEe4UYVWu+NQv3AK905RFX+WabVbwj8m4ocVDsvRJrirzaD7Ose5x4wv
pZAeTWoK6kli9EwgLLWQiY4bpPyXlduzKqMlwYRiuTzTiAX754XzZZAeERP+hpsU
8dJxFbgGcrGe3n56WOP62b86MlBYaqg3t6YlhiZF/l3UOgQ/WftfnY4td2L+PgBu
PTLyXbTKosnFEIbiXmtUWu1kw9durhgJwCXkgw7U+K+K5p8suhxYognuZDmY2byH
P5WU7rlqOOV2PvpQaKmYQywHl/LuIQaMUYjGLWTf3nY6IkRT23BR1qhh+fpW3rxE
wZs20kKe88xAzQshKGwnpWWcHvAfukR+LzYNaTYm2IUGPLiirrWM7xWIs9e4HPO7
n3kSYQ0HePuzjr8tW1WIIto47ZUuNKA87xGuAg2laKlAaIUMylycd0lqtzeIFBnp
kZs5+g5CllN94jN+J+3RD/Lh4EEhrFLARzXyuC0uaWkTtpm2gNc=
=tzrL
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
--===============3126999455959600617==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic