oss-sec mailing list archives
CVE request: XSS to RCE in PHP-Fusion 9
From: Brendan Scarvell <bscarvell () iix net>
Date: Sat, 28 Nov 2015 09:24:58 +1000
I discovered a stored XSS vulnerability in PHP-Fusion 9 that can result in RCE. Robots.php is an administration tool that allows an administrator with access to this feature to modify the robots.txt file. The robots.txt editor fails to sanitize the robots.txt file content as it loads the <textarea> content. Someone who has access to this tool, can submit a malicious payload to the contents of the robots.txt file. When a higher privileged user browses the robots.txt editor, the XSS payload does a silent ajax request to /administration/banners.php and pulls out their hidden CSRF token. It then uses their syphoned CSRF token and performs an ajax POST request to the banners page with PHP code that is then executed unbeknownst to the victim, resulting in a reverse TCP shell to an attackers server. A working payload can be found here: https://gist.github.com/bscarvell/57f82000bf823071404e The issue has been resolved in the following commit: https://github.com/php-fusion/PHP-Fusion/commit/f1a5fce791e2392d5a23a6d62ab65c481cdd6a66 This breaks a trust boundary as a user with access to only the robots.txt editor can use this to escalate their privileges, read files or gain a reverse TCP shell on the server. Please assign a CVE ID to this issue. A request was sent to MITRE directly 18 days ago with no response. Thanks, Brendan Scarvell
Current thread:
- CVE request: XSS to RCE in PHP-Fusion 9 Brendan Scarvell (Nov 27)
- Re: CVE request: XSS to RCE in PHP-Fusion 9 cve-assign (Nov 29)