Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Trio of XSS bugs in open source web apps could lead to complete system compromise

Researchers have released details on a trio of cross-site scripting (XSS) vulnerabilities in popular open source apps that could lead to remote code execution (RCE).

The security bugs, found by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.

A traditional XSS attack allows the attacker’s JavaScript code to be executed in the victim user’s browser, opening the door to cookie theft, redirection to a phishing site, and much more.

Web security researcher Aleksey Solovev told The Daily Swig that this research, detailed in PT Swarm’s blog, relates to how “the combination of the discovered possibility of conducting an XSS attack and the built-in file manager (or executing a SQL query) in the administrator panel can lead to a complete compromise of the system”.

Triple threat

The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to carry out a reflected XSS attack in several places in the admin panel.

“An attacker could try to force a system administrator to follow a malicious link through social engineering, which would lead to the execution of malicious JavaScript code in the browser of the attacked,” Solovev told The Daily Swig.

“The consequence would be a complete compromise of the system by overwriting the executable file using the built-in file manager.”

Read more of the latest web security research here

A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out a stored XSS attack in the name of the attached file in private messages.

“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” said Solovev.

“When this message is read by the administrator, his browser would execute the JavaScript code and, using the built-in file manager, an executable file would be created that would allow the attacker to execute commands on the server.”

Finally, in GitBucket v4.37.1, a security bug was discovered that could enable an attacker to carry out a stored XSS attack in “several places”, according to Solovev.

An attacker had to create an issue in a public repository and inject a JavaScript code into the name of the assignment.

This event would be displayed in the general feed and the attacker’s profile. It was in these places that the insecure display of the task name with a malicious load was present, which led to the execution of JavaScript code in the browser of everyone who viewed these pages.

“In the admin panel, it was possible to execute SQL code based on the H2 Database Engine, for which there is already an exploit that allows you to execute a command on the server,” Solovev explained.

“Putting everything together, an attacker could attack the administrator and gain the ability to execute commands on the server.”

Patches released

All three vulnerabilities are pending a CVE but have been patched by the maintainers of the projects, Solovev told The Daily Swig.

The researcher added that the main difficulty in discovering these flaws was to find the possibility of conducting an XSS attack.

“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.

More information about the vulnerabilities and technical detail on the exploit can be found in PT Swarm’s blog.

YOU MAY ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash