Component Type: Neos
Vulnerability Type: XSS, Arbitrary file upload
Severity: Medium/High
Affected Versions: 1.2.0 to 1.2.12 (only XSS) and 2.0.0 to 2.0.3 (XSS and file upload)
Release Date: November 23rd, 2015
Suggested CVSS v2.0: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:ND/RL:OF/RC:C)
CVE: not assigned
Problem Description
It
has been discovered that Neos is vulnerable to several XSS attacks.
Through these vulnerabilities, an attacker could tamper with page
rendering, redirect victims to a fake login page, or capture user
credentials (such as cookies). With the potential backdoor upload an
attacker could gain access to the server itself, to an extent mainly
limited by the server setup.
Reflected Cross-Site Scripting (SXSS) with authentication
- A Neos backend user with permission to modify content can insert JavaScript instructions into content elements. The browser will execute the script in "Print" preview mode.
- A Neos backend user who can modify his profile information ("Title", "First Name", "Last name", "Middle Name", "Other Name") can inject JavaScript instructions in those parameters. Once set up, an administrator who wants to edit this user account will execute the code.
Both attack vectors require a valid Neos backend user account.
Reflected Cross-Site Scripting (RXSS) without authentication
A non-persistent XSS using parameters passed during plugin execution is possible. If invalid parameters are passed, an error message may be shown (depending on the context Neos runs in and how the parameters are handled) that contains the unescaped parameter value.
Note: Through the HTML content type the inclusion of arbitrary JavaScript is still possible for users with a valid Neos backend account. If you want to prohibit that, disable the nodetype or restrict access.
Potential backdoor upload
Through an issue with the underlying Flow framework (see the related Flow advisory Flow-SA-2015-001)
any editor with access to the Media Management module can
upload server side script files (when using Neos 2.0.x). If those scripts are executed by the
server when accessed through their public URL, anything not blocked
through other means is possible (information disclosure, placement of
backdoors, data removal, …).
Solution
Update
to Neos versions 1.2.13 or 2.0.4 that fix the problems described. Also
update to the latest Flow release to fix the file upload issue (see
advisory Flow-SA-2015-001).
Credits
Thanks to Mickael Dorigny (Synetis) who discovered the issues and to Flownative and networkteam for sponsoring the fixes. Thanks to the Neos security team members for reviewing the fixes.