What is the bugs trio?
Researchers from PT Swarm found the security bugs in the web development applications Evolution CMS, FUDForum, and Gitbucket.
A primitive XSS attack lets the threat actor's JavaScript code run in the victim user's web browser, which opens the door for cookie theft, redirects to a phishing site, and a lot more.
Cross-Site Scripting (XSS) is one of the most widely faced attacks in web apps. If a threat actor deploys a javascript code into the app output, not only steals cookies, but it also leads to complete compromise of the systems sometime. In this blog post, we'll try to understand how XSS-driven remote code execution is achieved through examples of Evolution CMS, FUDForum, and Gitbucket.
Evolution CMS V3.1.8
The first bug, Evolution CMS V3.1.8, allows a hacker to launch a reflected XSS attack in various locations in the admin section. Aleksey Solovev says in case of a successful attack on an administrator authorized in the system, the index.php file will be overwritten with the code that the attacker placed in the payload.
FUDForum v3.1.1
The second vulnerability, discovered in FUDForum v3.1.1, can possibly let a hacker launch a stored XSS attack. Aleksey Solovev says FUDforum is a super fast and scalable discussion forum. It is highly customizable and supports unlimited members, forums, posts, topics, polls, and attachments.
The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with the PHP extension. An attacker can use stored XSS to upload a PHP file that can execute any command on the server.
Bitbucket v4.37.1
In the last vulnerability, Bitbucket v4.37.1, a security bug was found that can allow an attacker to launch a stored XSS attack in various locations. Aleksey Solovev says having a stored XSS attack can try to exploit it in order to execute code on the server. The admin panel has tools for performing SQL queries – Database viewer.
GitBucket uses H2 Database Engine by default. For this database, there is a publicly available exploit to achieve a Remote Code Execution. So, all an attacker needs to do is create a PoC code based on this exploit, upload it to the repository and use it during an attack:
