Elefant CMS 1.3.12-RC: Open Redirect, Host Header Injection, Leakage of Password Hashes

Elefant CMS 1.3.12-RC: Open Redirect, Host Header Injection, Leakage of Password Hashes

Date: 2017-02-02 13:41:57
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Elefant CMS 1.3.12-RC
Fixed in: 1.3.13
Fixed Version Link: https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_13_rc
Vendor Website: https://www.elefantcms.com/
Vulnerability Type: Open Redirect, Host Header Injection, Leakage of Password Hashes
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 02/02/2017
Release mode: Coordinated Release
CVE: n/a (not requested)
Credits Tim Coen of curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to various low to medium impact issues, namely open redirect, host header injection, and the leakage of password hashes. Open redirect and host header injection can be used for phishing attacks. The leakage of password hashes is restricted to users with an admin account.

3. Details

Open Redirect

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

There is an open redirect vulnerability in the cancel action which may be used for phishing attacks.

Proof of Concept:


Leakage of Password Hashes

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

When comparing versions of a user, the password hash as well as the current session id are printed.

A user account with the right to restore previous versions is required. Per default, only the admin role has this right.

Proof of Concept:

http://localhost/admin/compare?id=3¤t=yes http://localhost/admin/compare?id=7¤t=no

Host Header Injection

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N

The application takes the Host Header and uses it in a password reset email. As the Host Header is user-controlled, an attacker can set it to arbitrary values.

In the case of a password reset page, this can lead to security issues as an attacker can request a password reset email for a user and set the Host header to a server they control. As this header is used in the email, a user would be send to the attackers server if they were to click on the link, leading to the leakage of the recovery token and thus the compromisation of the account.

Proof of Concept:

Request: POST /user/recover HTTP/1.1 Host: example.com Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 64 email=foo%40example.com&_token_=31c2cdbe1092449f631ba90bae1937e1 Email Send: Password recovery Hi foo,=0A=0AA request has been made to reset your password. You can ver= ify your=0Aemail address and reset your password at the following link:= =0A=0Ahttp://example.com/user/newpass?recover=3D3c9971cff8ad273978621625= 2210fd1b&email=3Dfoo%40example.com=0A=0AIf you received this message in= error, you can safely ignore it.=0A=0ARegards,=0A=0AYour Site Name

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public