Security Vulnerabilities

j2h2
Posts: 2
Joined: Tue Jan 06, 2015 9:55 pm

Security Vulnerabilities

Post by j2h2 »

To continue upon what igorkov found and mentioned in this post, http://wondercms.com/forum/viewtopic.php?f=20&t=620, I've found another security vulnerability in WonderCMS.

The 404 page/page created page is vulnerable to XSS injection. Proof of Concept: http://wondercms.com/%3Cscript%3Ealert% ... /script%3E

Also, the vulnerability mentioned in the second post of igorkov (with editInplace.php) can also be used to traverse the file system of the web server, possibly exposing private data.
User avatar
turboblack
Posts: 198
Joined: Fri Sep 19, 2014 1:53 pm

Re: Security Vulnerabilities

Post by turboblack »

:? and... how to fix that???? :? :? :?
http://old.net.eu.org/ Get ready to hamsterization! 8-) code takes less than a kilobyte! shock!
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
j2h2
Posts: 2
Joined: Tue Jan 06, 2015 9:55 pm

Re: Security Vulnerabilities

Post by j2h2 »

The inputs will need to be properly sanitized to remove possibly malicious data being given to the application.

Lines 12 and 13 of index.php need to be filtered and limited to just text to stop the XSS attack. (More information on XSS attacks is available here: https://www.owasp.org/index.php/Cross-s ... _%28XSS%29.)

The files/password file should be moved to a seperate folder. It shouldn't be with the other user data. Moving it and filtering inputs should help.

Line 17 in js/editInplace.php also needs to be restricted to the neccessary files and nothing else.

I could try to patch things up, but I don't know where the repo is. Also, do the devs know about this? Shouldn't WonderCMS users be notified too?

Thanks,
j2h2
igorkov
Posts: 4
Joined: Tue Oct 28, 2014 3:24 pm

Re: Security Vulnerabilities

Post by igorkov »

Hice... :?

Hard fix this problems, after getting page name:

Code: Select all

$rp = isset($_REQUEST['page']) ? $_REQUEST['page'] : '';
Add cuts all symbols, except A-Z, a-z and '-':

Code: Select all

$rp = preg_replace('/[^a-zA-Z0-9-]/', '', $rp);
Example:
http://igorkov.org/%3Cscript%3Ealert%28 ... /script%3E
Nicasi
Posts: 3
Joined: Mon Feb 02, 2015 8:39 pm

Re: Security Vulnerabilities

Post by Nicasi »

Hi Guys,

It seems the code of this nice little gem called Wondercms has some issues. It also seems you are able to fix some of these issues. Would any of you care to put this code on github so it can be patched? I'm not fluent enough in PHP to do this myself but I could help with the Javascript/HTML part if there are any issues.

The license is the most free creative commons one so you can adapt it as needed as long as you give credit.

Would be nice to keep this project alive.
Nicasi
Posts: 3
Joined: Mon Feb 02, 2015 8:39 pm

Re: Security Vulnerabilities

Post by Nicasi »

Oh, it's already there.

https://github.com/robiso/wondercms
Nicasi
Posts: 3
Joined: Mon Feb 02, 2015 8:39 pm

Re: Security Vulnerabilities

Post by Nicasi »

Okayyy, I'm a bit confused, seems like the Wondercms on github doesn't contain all files as the download from the site. Maybe the github version is 0.4?

Here is another repo with ckeditor added. I added ckeditor to Wondercms manually some time ago and it kicks ass for smaller projects.

https://github.com/nishantmendiratta/wo ... h_ckeditor
User avatar
turboblack
Posts: 198
Joined: Fri Sep 19, 2014 1:53 pm

Re: Security Vulnerabilities

Post by turboblack »

I do not understand too, why such a thick editor for such a small script :)
There are full of small solutions for this.
http://old.net.eu.org/ Get ready to hamsterization! 8-) code takes less than a kilobyte! shock!
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
User avatar
wiz
Posts: 749
Joined: Sat Oct 30, 2010 12:23 am

Re: Security Vulnerabilities

Post by wiz »

Hello everyone.

Yes that is the correct GitHub URL for WonderCMS development.
The GitHub version of WonderCMS has less files because of a new functionality that auto generates the necessary folders.

I suggest you try and download it, as there are some code upgrades that are not yet available to the general public (everyone who downloads the beta from the front page - wondercms.com).

That aside, today we also moved WonderCMS to a new server (as you might have notice some interruptions in uptime and functionality) that is now powered by nginx (instead of apache). Soon we'll also be able to offer a WonderCMS version for everybody who owns a server running on nginx.

It's pretty late now, but tomorrow I'll patch up the security fixes you guys posted here to GitHub (if someone else doesn't do it before me) and after some testing publish it as a new version.

Please report any bugs that you might notice around this site to GitHub.

Regards
rob
mary
Posts: 5
Joined: Mon Aug 08, 2016 9:50 am

Re: Security Vulnerabilities

Post by mary »

It seems the code of this nice little gem called Wondercms has some issues. It also seems you are able to fix some of these issues. Would any of you care to put this code on github so it can be patched? I'm not fluent enough in PHP to do this myself but I could help with the Javascript/HTML part if there are any issues.
Post Reply