Silverstripe CMS 5.2 : Malicious File Upload (XSS in PDF)
Description:
# An Issue is discovered in Silverstripe CMS 5.2
# We have identified a vulnerability that allows an authenticated account with “Edit any file” permissions to upload a PDF file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the PDF file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target .
Affected Component:
http://[ip]/admin/assets/api/createFile
http://[ip]/admin/graphql
Payload:
%PDF-1.7
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (app.alert('Grim The Ripper Team'))
>> trailer <</Root 1 0 R>>Proof of Concept:
First, log in to the target application using an admin account or any other user account that has the “Edit any file” permission.
Next, choose “Add new”.
Then create new page by follow this step.
- Select “Under another page”.
- Select “Contact Us” page.
- Select “Page Generic content page”.
- Click “Create” for add new page.
Then follow this step.
- Define new name page (This step is optional).
- Select picture icon (Select from Files).
Then select “Upload” and choose malicious pdf file that needs to upload.
Will find that the file can be uploaded successfully.
Then insert file to the web page by follow this step.
- Select pdf file (xss by grim).
- Define link text & link description (exp : ClickMe!!).
- Check-up “Open in new window/tab”.
- Click “Insert file”.
Then click “Publish” for publish new page to the site.
Will find that the new page can be published successfully.
Finally, trigger malicious pdf file by follow this step.
- Select “Contact Us” page.
- Select “XSS TEST” page.
- Check “ClickMe!!” for open pdf file.
The XSS payload will run immediately.
Author:
Grim The Ripper Team by SOSECURE Thailand.
