Webmasters urged to update the PHP-based site builder ASAP
A critical security vulnerability in Microweber, the open source content management system (CMS), leaked easy-to-crack administrator credentials and a wealth of other user information.
Passwords used to gain access to the CMS are hashed with bcrypt out of the box, but “these hashes are crackable with Hashcat under the default configuration, making it feasible for an attacker to obtain administrator passwords”, said Hunter Stanton, a penetration tester at Rhino Security Labs.
Web administrators are advised to update their Microweber builds as soon as possible after the team behind the PHP-based CMS patched the flaw.
Microweber has been downloaded more than 71,000 times [non-HTTPS link] since the platform’s launch in 2015.
Dump and divulge
The pre-authentication flaw (CVE-2020-13405) was found in the controller.php script, which a Microweber developer said was a “leftover from the early days of Microweber’s development”, recounted Stanton.
The script runs Laravel’s ‘dump and die’ function on the user database, which prints the entire PHP variable’s contents out to HTML before halting the script’s execution, explained the researcher in a blog post published on July 16.br>
YOU MIGHT ALSO LIKE GitHub security team finds RCE bug in popular Noje.js changelog library
The bug can be exploited, without authentication, by submitting the POST request module=/modules/users/controller to the /modules/ endpoint.
This executes the controller.php script, which generates the entire user database in the response.
PHP scripts are used to give web administrators the ability to customize the CMS, either by plugging in their own scripts or modifying existing ones.
They can use off-the-shelf modules or write their own to perform functions that include embedding Tweets or adding a search utility.
Explaining why he started probing the drag-and-drop website builder for flaws, Stanton told The Daily Swig: “I was looking through a list of open source CMS programs on GitHub when I found Microweber.
“Very few vulnerabilities had been found for Microweber in the past, and I had a hunch that it was a ‘hidden gem’.”
The researcher said he had encountered no evidence of the vulnerability being exploited in the wild, although he hadn’t actively looked for signs of the bug being abused.
Rhino Security Labs, a Seattle-based penetration testing company, disclosed the vulnerability to Microweber on April 27.
The project maintainers confirmed the vulnerability on May 22 and released Microweber 1.1.20, which removes controller.php from the source code, on June 22.
Stanton said the Microweber team had been a pleasure to work with.
“I plan to do more research on Microweber in the future,” he told The Daily Swig.
“Microweber was very responsive in handling the disclosure and great to work with in getting it patched.”
The Daily Swig has contacted the Microweber team for further details.