[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Totaljs CMS Authenticated Code injection on widget creation

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Totaljs CMS Authenticated Code injection on widget creation
From: paw <riccardo.krauter@xxxxxxxxx>
Date: Fri, 30 Aug 2019 19:46:49 +0200

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Authenticated Code injection on widget creation.

[+] Affected software: Totaljs CMS 12.0

[+] Description:

An authenticated user with “widgets” privilege can gain RCE on theremote server by creating a malicious widget with a special tagcontaining java-script code that will be evaluated server side.In the process of evaluating the tag by back-end is possible to escapethe sandbox object by using the following payload:<scripttotal>global.process.mainModule.require(‘child_process’).exec(‘RCEhere’);</script>


[+] Step to reproduce:

1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details:https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf


[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Totaljs CMS Insecure Admin Session cookie
Next by Date: [FD] Totaljs CMS Broken Access Control on the API call
Previous by thread: [FD] Totaljs CMS Insecure Admin Session cookie
Next by thread: [FD] Totaljs CMS Broken Access Control on the API call
Index(es):
- Date
- Thread