4images 1.7.12 Cross Site Scripting
Posted on 10 December 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: 4images 1.7.12 Fixed in: 1.7.13 (update) Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in 4images, as well as a persistent Open Redirect, which may also lead to XSS in older browsers. This allows an attacker to execute arbitrary JavaScript in the context of the browser of a victim if the victim clicks on an attacker supplied link or visits an attacker controlled website. With this, it is possible to bypass CSRF protection and thus do anything the victim can do, inject a JavaScript keylogger, or perform phishing attacks. It should be noted that the XSS vulnerability still existed in another form in the first release of version 1.17.13 and has been fixed with an update to that version. 3. Reflected XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description When displaying the form to add new images, $_SERVER['PHP_SELF'] is echoed unencoded inside a select tag. Because of this, additional attributes can be added and new HTML tags can be created, leading to XSS. Proof of Concept Prior to Version 1.7.12: http://localhost/4images/admin/images.php/" onfocus=alert(1) autofocus foo="?action=addimages Version 1.7.13 (before update): http://localhost/4images/admin/images.php/');alert(1);window.location=('?action=addimages This required a click of the victim to trigger, and a redirect will be performed after the execution of the injected code. Code /admin/images.php show_num_select_row(" ", "num_newimages", $lang['num_addnewimages_desc']); /admin/admin_functions.php function show_num_select_row($title, $option, $desc = "") { global $site_sess, $PHP_SELF, $action, $$option; echo "<tr class="".get_row_bg().""> <td><p>".$title."</p></td> "; echo "<td align="right"><p>".$desc; $url = $PHP_SELF; $url .= preg_match("/?/", $url) ? "&" : "?"; $url .= "action=".$action; $url = $site_sess->url($url); echo "<select name="num" onchange="window.location=('".$url."&"; echo $option."='+this.options[this.selectedIndex].value)"> "; for ($i = 1; $i < 11; $i++) { echo "<option value="$i""; if ($i == ${$option}) { echo " selected"; } echo ">".$i."</option> "; } echo "</select></p></td> </tr> "; } 4. Reflected XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description User input is echoed inside the src attribute of a frame, which makes it possible to execute javascript. Proof of Concept http://localhost/4images/admin/index.php?goto=javascript:alert%281%29 Code /admin/index.php if ($action == "") { $action = "frames"; } if ($action == "frames") { if ($goto != "" && strpos($goto, '://') === false) { $framesrc = $site_sess->url($goto); } else { $framesrc = $site_sess->url("home.php"); } ?> <html dir="<?php echo $lang['direction']; ?>"> <head> <title><?php echo $config['site_name']; ?> Control Panel</title> <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $lang['charset']; ?>"> </head> <frameset rows="70,*" framespacing="0" border="0" frameborder="0" frameborder="no" border="0"> <frame src="<?php echo $site_sess->url("index.php?action=head"); ?>" name="head" scrolling="NO" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no"> <frameset cols="216,*" framespacing="0" border="0" frameborder="0" frameborder="no" border="0"> <frame src="<?php echo $site_sess->url("index.php?action=nav"); ?>" name="nav" scrolling="auto" NORESIZE frameborder="0" marginwidth="0" marginheight="0" border="no"> <frame src="<?php echo $framesrc ?>" name="main" scrolling="auto" NORESIZE frameborder="0" marginwidth="20" marginheight="20" border="no"> </frameset> </frameset> </html> 5. Persistent Open Redirect CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description When showing an uploaded image, the description and keyword are not properly encoded. Tags are removed, but it is still possible to add further attributes to the meta tag they are inserted into. This makes it possible to inject a redirect. This redirect will be persistent, meaning anyone visiting the site of the uploaded image will be redirected to an attacker controlled website. The attacker needs the rights to upload images to perform the attack, which means that a category needs to exist where anyone can upload images, or a category needs to exist where registered users can upload images and the registration must be open - which it is by default. Proof of Concept Upload an image, as description or keyword use: Version 1.7.11 and earlier: 5;URL=http://google.com/" http-equiv="refresh" foo=" Version 1.7.12: 5;URL=http://google.com/" http-equiv=refresh foo=" When visiting the page of the uploaded image, a redirect will be performed. With older browsers, it will be possible to inject and execute javascript as well. Code details.php $meta_keywords = !empty($image_row['image_keywords']) ? strip_tags(implode(", ", explode(",", $image_row['image_keywords']))) : ""; $meta_description = !empty($image_row['image_description']) ? strip_tags($image_row['image_description']) . ". " : ""; $site_template->register_vars(array( "detail_meta_description" => $meta_description, "detail_meta_keywords" => $meta_keywords, "prepend_head_title" => $image_name . " - ", )); 6. Solution To mitigate this issue please upgrade at least to version 1.7.13: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 7. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases new version (1.7.12), partially fixing issues 11/17/2015 CVE Requested (no reply) 11/18/2015 Vendor releases new version (1.7.13), partially fixing issues 11/23/2015 Vendor releases update to version 1.7.13, fixing the issues 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1712-XSS-110.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany
