CVE-2022-32173 In v1.2.2 of Orchard Core, an authenticated user with an editor security role can inject a modal dialog component into the dashboard that will affect admin users.
This can be used to issue admin-level warnings or even perform actions as a logged in user. To exploit this issue, an attacker must trick a logged-in administrator into visiting a malicious URL. For example, an attacker could send an email with a malicious link, post a message on a forum with a malicious link, etc. Once the administrator is at the malicious URL, an attacker can use the persistent dialog component to inject code into the site’s database that will be executed once the administrator goes to the next page on the site. #1 Best Practice: Never trust user input. This is especially true for database queries. This can lead to remote code execution if input is filtered or sanitizing tools are not used. The persistent dialog component can be injected into the database by injecting an iframe> tag into the header of the site’s root URL, which is the domain name followed by a colon (:). For example, if the site’s root URL is https://example.com/ then the injection would be done into the header https://example.com/ . This will cause the dialog component to be injected into every page on the site, which means that every admin user can end up with a persistent dialog component injected into the site’s database. Once injected, the persistent dialog component will be accessible by all admin users. This can lead to an escalation of privileges attack. For example, the persistent dialog component allows an attacker to issue a
CVE-2022-32174
This is a potentially exploitable vulnerability that allows an attacker to bypass authentication and gain access to the system as an admin user.
To exploit this issue, an attacker must trick a logged-in administrator into visiting a malicious URL. For example, an attacker could send an email with a malicious link, post a message on a forum with a malicious link, etc. Once the administrator is at the malicious URL, an attacker can use the persistent dialog component to inject code into the site’s database that will be executed once the administrator goes to the next page on the site.
#2 Best Practice: Always enable HTTP Strict Transport Security (HSTS). If HSTS is enabled in your web server configuration then all requests from browsers are directed to HTTPS unless specifically instructed not to by HSTS headers. This prevents injection of iframe tags and other browser activity outside of the browser from being able to happen on your website. With this issue fixed, admins will only see content for which they have permission to view when using their site's root domain name.
SQL Injection
SQL injection is a type of injection attack that involves entering malicious SQL commands into a site’s database. This is often done by injecting an iframe tag into the header of the site’s root URL, which is the domain name followed by a colon (:). For example, if the site’s root URL is https://example.com/ then the injection would be done into the header https://example.com/ . This will cause the dialog component to be injected into every page on the site, which means that every admin user can end up with a persistent dialog component injected into the site’s database. Once injected, the persistent dialog component will be accessible by all admin users. This can lead to an escalation of privileges attack. For example, while logged in as an admin user, an attacker could use SQL injection to execute arbitrary code on behalf of that user.
Persistent Dialog Component
The persistent dialog component is a Web Component added in the most recent release of Chrome. It allows an administrator to enter text into a field and have it displayed on any page on the website they are visiting. The dialog component can be styled however the administrator wants, and it provides an easy way for administrators to input information without having to go through the trouble of writing JavaScript code. This vulnerability could be used by an attacker to attack a admin-level user, as long as that user visits a malicious URL with the persistent dialog component included.
It is important to note that this vulnerability only affects websites running modern versions of Chrome or a WebKit browser. Many websites still use older version of Chrome and/or run a webkit-based browser (such as Safari).
Timeline
Published on: 10/03/2022 13:15:00 UTC
Last modified on: 10/04/2022 20:25:00 UTC