XSS Vulnerabilities in Neos

It has been discovered that Neos is vulnerable to XSS attacks and arbitrary file upload.

– Written by

Component Type: Neos
Vulnerability Type: XSS, Arbitrary file upload
Severity: Medium/High
Affected Versions: 1.2.0 to 1.2.12 (only XSS) and 2.0.0 to 2.0.3 (XSS and file upload)
Release Date: November 23rd, 2015
Suggested CVSS v2.0(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C)
CVE: not assigned

Problem Description

It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup.

Reflected Cross-Site Scripting (SXSS) with authentication

  1. A Neos backend user with permission to modify content can insert JavaScript instructions into content elements. The browser will execute the script in "Print" preview mode.
  2. A Neos backend user who can modify his profile information ("Title", "First Name", "Last name", "Middle Name", "Other Name") can inject JavaScript instructions in those parameters. Once set up, an administrator who wants to edit this user account will execute the code.

Both attack vectors require a valid Neos backend user account.

Reflected Cross-Site Scripting (RXSS) without authentication

A non-persistent XSS using parameters passed during plugin execution is possible. If invalid parameters are passed, an error message may be shown (depending on the context Neos runs in and how the parameters are handled) that contains the unescaped parameter value.

Note: Through the HTML content type the inclusion of arbitrary JavaScript is still possible for users with a valid Neos backend account. If you want to prohibit that, disable the nodetype or restrict access.

Potential backdoor upload

Through an issue with the underlying Flow framework (see the related Flow advisory Flow-SA-2015-001) any editor with access to the Media Management module can upload server side script files (when using Neos 2.0.x). If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).

Solution

Update to Neos versions 1.2.13 or 2.0.4 that fix the problems described. Also update to the latest Flow release to fix the file upload issue (see advisory Flow-SA-2015-001).

Credits

Thanks to Mickael Dorigny (Synetis) who discovered the issues and to Flownative and networkteam for sponsoring the fixes. Thanks to the Neos security team members for reviewing the fixes.