HTML Injection in Craft-Cms Application

Craft CMS

Hello, fellow security researchers and bug bounty hunters.

In this article, I will share my experience of discovering a HTML Injection vulnerability along with my colleague.

Firstly, let’s have an overview of HTML Injection.

What is HTML Injection?

A comparable attack to cross-site scripting (XSS) is HTML injection. The HTML injection attack simply permits the injection of specific HTML tags, but the XSS vulnerability allows the attacker to inject and execute Javascript code. An attacker can inject their own material into a page by providing legal HTML code, generally through a parameter value, when an application fails to treat user-supplied data appropriately. Given that this attack relies on a code-based vulnerability and a user’s confidence, it is frequently combined with some type of social engineering.

What is Craft CMS?

Craft is a versatile, user-friendly CMS for designing unique digital experiences for the web and other platforms.

It features:

1. A simple, user-friendly control panel for managing tasks and creating content.
2. Front-end development and content modelling strategy that starts from scratch and doesn’t have any preconceived notions about how your material should be used.
3. There is an integrated plugin store with hundreds of available paid and unpaid plugins(opens new window).
4. A strong framework for the creation of modules and plugins.
5. A lively, dynamic neighborhood(opens new window).

Let us now dive into the Application and find the 🐞

Prerequisites: Redactor Plugin

Steps to Reproduce:

1. Login to the application’s admin page.
2. Go to plugin store and search for Redactor and install it.
3. Now, go to “Settings -> Fields” and add a new field. Make sure to use Redactor as the field type.
4. Add custom Redactor config to only enable bold and italics fonts and save the field.
5. We now go to “Settings -> Globals” and add a new Global.
6. In Field layout, we add a tab by clicking “new tab” and add the previously created field to the tab. Save the global.
7. Now, go to global and observe we are allowed bold and italics styles.
8. Enter some text in the textbox and then right click and select “Inspect”.
9. Go to “Inspector” and observe the line has “style=”display: none;”
10. Delete the “none” and now the attribute is “style=”display:;”.
11. Observe a black terminal is now visible in the UI where it was just the textbox.
12. The terminal box contains the html code of the text we wrote earlier in step 8.
13. We inserted a html injection payload in the terminal box and clicked on “save”.
14. After saving, we observe that the our Html injection payload is successful saved and it is also reflected in the web application where if a user clicks, they will be redirected to the URL mentioned in the html injection payload.

What would happen next 📶

A normal enumeration will aid an attacker to find craft cms based web application. All he will do is add /admin/login and get to the login page. He will then try to brute force and get inside the admin panel. He will then inject the payload. This payload can lure the application’s customer and take them to the attacker’s intended websites which can be harmful. This would also violate the Integrity of the application.

To summarise

• Discoverers: Somnath Mondal, Aadil Dhanani
• The name of an affected Product: Craft Cms
• The affected or fixed version: Craft Cms 4.4
• The CVE ID for the entry: CVE-2023–33495
• Description: The application allows an individual to enter malicious payloads via Html Injection and treats the payload as an redirection to the attacker’s intended web link. This URLs can often be dangerous and can be a driving agent to a bigger attack as well.
• Impact: Customers of the Application could be tricked by this vulnerability into visiting the attacker’s intended websites, which could be dangerous.Additionally, this would go against the application’s integrity.