Elefant CMS 1.3.12-RC: Open Redirect, Host Header Injection, Leakage of Password Hashes
Date: 2017-02-02 13:41:571. Introduction
| Affected Product: | Elefant CMS 1.3.12-RC |
| Fixed in: | 1.3.13 |
| Fixed Version Link: | https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_13_rc |
| Vendor Website: | https://www.elefantcms.com/ |
| Vulnerability Type: | Open Redirect, Host Header Injection, Leakage of Password Hashes |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/05/2016 |
| Disclosed to public: | 02/02/2017 |
| Release mode: | Coordinated Release |
| CVE: | n/a (not requested) |
| Credits | Tim Coen of curesec GmbH |
2. Overview
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to various low to medium impact issues, namely open redirect, host header injection, and the leakage of password hashes. Open redirect and host header injection can be used for phishing attacks. The leakage of password hashes is restricted to users with an admin account.
3. Details
Open Redirect
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
There is an open redirect vulnerability in the cancel action which may be used for phishing attacks.
Proof of Concept:
/admin/cancel?type=Designer&id=layouts%2Fminimal%2Fstyle.css&return=http://google.com
Leakage of Password Hashes
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
When comparing versions of a user, the password hash as well as the current session id are printed.
A user account with the right to restore previous versions is required. Per default, only the admin role has this right.
Proof of Concept:
http://localhost/admin/compare?id=3¤t=yes http://localhost/admin/compare?id=7¤t=no
Host Header Injection
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N
The application takes the Host Header and uses it in a password reset email. As the Host Header is user-controlled, an attacker can set it to arbitrary values.
In the case of a password reset page, this can lead to security issues as an attacker can request a password reset email for a user and set the Host header to a server they control. As this header is used in the email, a user would be send to the attackers server if they were to click on the link, leading to the leakage of the recovery token and thus the compromisation of the account.
Proof of Concept:
Request: POST /user/recover HTTP/1.1 Host: example.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 64 email=foo%40example.com&_token_=31c2cdbe1092449f631ba90bae1937e1 Email Send: Password recovery Hi foo,=0A=0AA request has been made to reset your password. You can ver= ify your=0Aemail address and reset your password at the following link:= =0A=0Ahttp://example.com/user/newpass?recover=3D3c9971cff8ad273978621625= 2210fd1b&email=3Dfoo%40example.com=0A=0AIf you received this message in= error, you can safely ignore it.=0A=0ARegards,=0A=0AYour Site Name
4. Solution
To mitigate this issue please upgrade at least to version 1.3.13.
Please note that a newer version might already be available.
5. Report Timeline
| 09/05/2016 | Informed Vendor about Issue, Vendor announces fix |
| 11/07/2016 | Asked Vendor if recent releases fixes issues, Vendor confirmed |
| 02/02/2017 | Disclosed to public |