Content filtering shortcomings led to web security flaw
Security researchers have uncovered a stored cross-site scripting (XSS) vulnerability in Microweber, an open source website builder and content management system (CMS).
The security issue, discovered by researchers James Yeung and Bozhidar Slaveykov, and tracked as CVE-2022-0930, was resolved in version 1.2.12 of Microweber.
The problem arose because of shortcomings in the content filtering protections offered by earlier versions of Microweber.
These shortcomings meant it was possible for attackers to upload an XSS payload, providing it contained a file whose name ended with ‘html’ – a category that includes far more than just simple .html files.
Once this payload is uploaded, a URL with malicious HTML can be accessed and malicious JavaScript executed.
Catch up on the latest security research news and analysis
By controlling a script that is executed in the victim’s browser, it would be possible for an attacker to steal cookies before impersonating a victim, potentially the administrator of a compromised system.
The attack is explained in greater depth in a technical blog post – featuring a proof-of-concept exploit – put together by Yeung and Slaveykov.
The Daily Swig invited Microweber to comment on the researchers’ findings via a message sent through a webform on its website. In response, Microweber confirmed that the “issue is already fixed”.
Asked how they come across Microweber as a target, Yeung told The Daily Swig: “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!”
The vulnerabilities uncovered in Microweber are typical of those found in other comparable enterprise software packages, according to Yeung.
“I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client),” the researcher explained.
Yeung concluded that developers should move towards using allow-lists and away from using block-list as a means to minimize problems in this area.
YOU MAY ALSO LIKE Phishing technique simulates pop-ups to exploit users