Not a bug Security issue?

[cyanidee]

Affected version

v2.1.4 or before up to latest version

Exploit possibilities:​

Arbitrary File Read : Access and exfiltrate sensitive files on the server, such as config.php (containing database credentials) and /etc/passwd.
Server-Side Request Forgery (SSRF) : Bypass firewalls, access internal systems, and retrieve the origin IP address of the server (bypassing Cloudflare) and port scanning internal networks.
Denial of Service (DoS) : Overload the server by triggering functions.

The mentioned exploits above can all be done by the same vulnerable function.

What privileges you need to perform the exploit:​

An account that can edit widgets or templates that have xenforo syntax.

Versions:​

v2.1.4 or maybe even before up to newest version (0day).

Other possibilities:​

Might be able to get RCE (I am guessing based on the source code however I have not accomplished this, since the exploit is a bit "weird" /advanced)



If it is considered an exploit then I would like to report it, also does xenforo give out any rewards and how critical would this exploit be considered?

 

[Kirby]

An account that can edit widgets or templates that have xenforo syntax.

Working as designed. An administrator wirh access to functionality (ads, widgets, templates, etc.) that allows XF template syntax can do pretty much everything.

 

[PaulB]

This was already reported in 2021 and assigned CVE-2021-43032. I don’t think any XenForo customer would actually consider this a major vulnerability: admin access is intended exclusively for fully trusted individuals, and the admin permissions clearly aren’t robust enough to prevent a malicious admin from taking over the site or its servers.

One could argue that it’s not ideal—as was done in CVE-2021-43032—but it is by design, not by accident.

 

[cyanidee]

This was already reported in 2021 and assigned CVE-2021-43032. I don’t think any XenForo customer would actually consider this a major vulnerability: admin access is intended exclusively for fully trusted individuals, and the admin permissions clearly aren’t robust enough to prevent a malicious admin from taking over the site or its servers.

I have read the CVE report you provided and it is different to the exploit I have found and is not the same at all.

The CVE you mentioned was an XSS vulnerability which was executed on the client side, which in the worst case scenario would be able to steal a users cookies or edit the page to look different (phishing). However the exploit you mentioned is not actually a vulnerability since it actually is an intended function in the XF syntax for example you can use:

<xf:js>
alert("XSS");
</xf:js>


With the exploit I have found you can request external sites, or internal networks and bypass all types of firewalls immediately, you can also read any file on the system the server has access to, including the database password and username.

The exploit I have found is not XSS and is completely different from the one you provided CVE-2021-43032, the exploit I have found is a 0day and there is currently no patch in even in the latest xenforo release v2.3.5 version and all it also works all the way back to 2.1.x

One could argue that it’s not ideal—as was done in CVE-2021-43032—but it is by design, not by accident.

In the templating syntax of xenforo there are functions that are not whitelisted (the majority of them) which otherwise would lead to remote code execution and a lot of issues. Therefore your logic of this being intended and that its by design and not accident is very questionable, perhaps staff can verify this. Also one hacked admin would be able to read all files of a system, steal database usernames and password and also crash it in addition to SSRF which can send requests to other internal applications behind firewalls (this would be a very questionable design by the staff, if it was intended).

 

[cyanidee]

Working as designed. An administrator wirh access to functionality (ads, widgets, templates, etc.) that allows XF template syntax can do pretty much everything.

Hello Kirby, I am glad for your answer however I am a bit skeptical about your claims of having an admin account could do pretty much anything. Can you perhaps give me some code to put in a template that can read files, any type of SSRF or anything remotely similar (not including XSS)?

 

[MySiteGuy]

It's the courteous norm to report things like this privately, to give the developers a chance to look over this, and fix it if there truly is an exploit.

 

[Forsaken]

Generally accounts that require you to have full access to a system (the permissions required for this specifically are something I only give myself and maybe one other person) are less severe than you are blowing this one out to be.

You should follow standard reporting procedures (Here is a good guide: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html), so that the developers can fully understand what you are reporting to see if it is a security exploit.

 

[Jeremy P]

If you believe you have found any security issues, please report them privately: https://xenforo.com/contact/

We review all potential vulnerabilities and issue fixes where warranted.