Advisories

Stored XSS leads to account takeover in Flarum

CyStack image

Trung Nguyen

CEO @CyStack|November 19, 2022
CyStack Advisory IDCSA-2022-01
CVE IDsCVE-2022-41938
SeverityCritical
CVSS v3 Base9.0

Synopsis

CyStack’s researchers recently discovered a Stored XSS vulnerability in the Flarum platform version 1.5.0 to 1.6.1 which can lead to an account takeover attack. Flarum is a widely used simple and open-source forum platform. At the time of this post, we estimate that there are about 1200 active Flarum websites.

Exploiting this vulnerability is very simple as the attacker just needs to create a post that included the payload on the target forum and wait for forum users to access the post. The attacker can then obtain cookies from the victims and take over their accounts on the forum.

CyStack reported this issue to the Flarum team via their bug bounty program and got confirmation from the team. A patch and announcement were released quickly after that at https://discuss.flarum.org/d/31999-critical-security-update-to-flarum-core-v162

Details

The title is a required field when a user creates a discussion in the forum. The problem here is that developers did not sanitize this variable before rendering to the HTML, which resulted in the attacker being able to generate malicious payloads and attach them to the title field when creating the post. Once the victim opens this post, a payload will be executed that can steal user cookies.

According to the Flarum team

Flarum’s page title system allowed for discussion title inputs to be converted into HTML DOM nodes when rendered (visiting a discussion page). This change was made in v1.5.0 and was not noticed.

This allowed for any user to type malicious HTML markup within discussion title user input, either through a new discussion o renaming an existing one, and have this execute on client browsers. Entering faux-malicious HTML markup, such as <img src=x onerror=alert(document.domain)> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.

https://discuss.flarum.org/d/31999-critical-security-update-to-flarum-core-v162

PoC

Create a Discussion with the payload included
Request captured
Payload is trigged

Remediation

Flarum users should update their platform to the latest version (>=1.6.2) according to the below instruction

# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.6.2
composer show flarum/core

# Clear cache
php flarum cache:clear

Related posts

Cyclos &lt; 4.14.15 &#8211; Remote code execution
Cyclos < 4.14.15 – Remote code execution
June 24 2022|Advisories

CyStack Advisory ID CSA-2021-01 CVE IDs CVE-2021-44832 Severity Critical CVSS v3 Base 10.0 Synopsis Cyclos is a payment software created for banks, barters, remittances, and innovative currency systems. Cyclos is used by more than 1500 payment systems worldwide. CyStack recently found that Cyclos versions prior to 4.14.15 are vulnerable to the remote code execution vulnerability. […]

macOS Rootkit Emulation
macOS Rootkit Emulation
June 24 2022|Advisories

Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking; indeed, most […]

Cesanta Mongoose 6.16 &#8211; Integer overflow
Cesanta Mongoose 6.16 – Integer overflow
April 5 2023|Advisories

CyStack Advisory ID CSA-2019-04 CVE IDs CVE-2019-19307 Severity Critical CVSS v3 Base 9.8 Synopsis CyStack Security discovered an integer overflow vulnerability in the implementation of MQTT protocol in the Cesanta Mongoose Library version 6.16. By exploiting the vulnerability, a remote, unauthenticated attacker can perform a DoS attack to broker server with an infinite loop or […]