A critical vulnerability has been discovered in Microweber 1.3.1, a popular open-source website builder and content management system (CMS). The vulnerability, assigned the CVE identifier CVE-2022-0698, allows an unauthenticated attacker to perform an account takeover using a Cross-Site Scripting (XSS) attack on the 'select-file' parameter. In this post, we will take a deep dive into the vulnerability, provide a code snippet demonstrating the issue, and discuss potential exploits that can be carried out by an attacker.

Vulnerability Details

Microweber version 1.3.1 does not properly sanitize the 'select-file' parameter within the media manager. This lack of input validation allows an attacker to inject a malicious script into the vulnerable parameter, resulting in an XSS attack. When a victim interacts with this injected script, the attacker can gain control over the victim's account, leading to a full account takeover.

The following code snippet demonstrates the lack of input validation for the 'select-file' parameter

// Microweber version 1.3.1
// Filename: src\Microweber\Controllers\MediaController.php

public function select_file()
{
    $selected_value = mw('url')->param('select-file');
    up()->set_selected_file($selected_value);
}

As you can see, the 'select-file' parameter value is simply assigned to the 'selected_value' variable without any proper input sanitization.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious script and embedding it within the vulnerable 'select-file' parameter. When a victim (such as an administrator or other user with elevated privileges) clicks on a link containing the malicious script, the script is executed in their browser context, allowing the attacker to perform actions on behalf of the victim or steal their session cookies, ultimately leading to an account takeover.

The following is a proof-of-concept (PoC) exploit that demonstrates the vulnerability

http://vulnerable-microweber-site.com/media/select-file?select-file="><script>alert(document.cookie)</script>;

When a user clicks on the crafted link above, the XSS payload within the 'select-file' parameter will execute in the user's browser, displaying the user's cookie information in an alert box. An attacker could then use this information to hijack the victim's session and perform malicious actions, such as changing the victim's password, creating new users, or editing/deleting content from the CMS.

The official advisory for this vulnerability is available on Microweber's GitHub repository

- Microweber Advisory

The vulnerability has also been assigned a CVSS score of 7.2, indicating a high-impact.

- MITRE CVE Entry

Mitigation

It is highly recommended to update your Microweber installation to the latest version which contains a patch for this vulnerability. In addition, implementing proper input validation and output encoding practices can help prevent the risk of XSS attacks in your applications.

Conclusion

The CVE-2022-0698 vulnerability in Microweber 1.3.1 highlights the importance of proper input validation to prevent XSS attacks that could lead to account takeovers and unauthorized access. By understanding the details of this vulnerability and taking prompt action to update your software, you can protect your Microweber installations and safeguard your website from similar types of attacks in the future.

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 16:07:00 UTC