PyroCMS v3.0.1 - Stored XSS

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-05-13 
# Exploit Title: PyroCMS v3.0.1  - Stored XSS
# Date: 2023-11-25
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://pyrocms.com/
# Version: v3.0.1
# Tested on: https://www.softaculous.com/apps/cms/PyroCMS



----------------------------------------------------------------------------------------------------


1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/1
2-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)//
3-Save it and go to this url : https://127.0.0.1/public/admin/redirects
4-You will be see alert button


PyroCMS v3.0.1 — Stored Cross‑Site Scripting (XSS): Overview and Remediation

Stored cross‑site scripting (XSS) is a high‑risk web vulnerability in which an attacker injects malicious script into data that is later rendered by the application in other users’ browsers. In PyroCMS v3.0.1 a stored XSS was reported in the redirects/admin UI where user‑controlled redirect fields were persisted and later rendered without proper output encoding. The result is arbitrary JavaScript execution in an administrator’s browser when they view the affected admin listing or detail pages.

Why this matters

  • Privilege escalation: Admin interfaces are high‑value targets; script execution there can lead to account takeover, configuration changes, or installation of backdoors.
  • Data exfiltration: An attacker can steal session cookies, CSRF tokens, or other secrets accessible to the admin context.
  • Supply‑chain risk: If the admin account manages content or plugins, compromise can be used to deliver malicious content to site visitors.

Root cause analysis (conceptual)

The core issue is improper output handling: data stored in the database (from a redirect configuration field) was later rendered in the admin HTML without contextual escaping or sanitization. Rendering untrusted input into an HTML context (for example, inside element content or attributes) without proper escaping allows injection of HTML or script.

Non‑actionable detection & testing guidance

  • Use automated scanners that detect stored XSS behaviors (DAST) against admin interfaces in a controlled environment.
  • Perform code review to find instances where stored values are output with raw output constructs rather than escaped output helpers.
  • Monitor web application logs for unusual input patterns and review recent changes to admin UI rendering code.

Secure coding fixes (recommended patterns)

PyroCMS is built on Laravel, which provides templating and helpers to escape output. The safest default is to escape all untrusted data on output and to validate input on ingestion.

Example — vulnerable output pattern (do not replicate)

<!-- Vulnerable view snippet — renders raw content into HTML -->
<td>{!! $redirect->from !!}</td>

Explanation: The {!! ... !!} Blade construct outputs raw, unescaped HTML. If $redirect->from contains attacker‑controlled content, it will be rendered as HTML/JS, enabling stored XSS.

Secure replacement — escape on output

<!-- Secure view snippet — escape output by default -->
<td>{{ $redirect->from }}</td>

Explanation: The {{ ... }} Blade construct automatically escapes output using htmlspecialchars, preventing injected HTML/JS from being interpreted by the browser. Use it for any value that can be influenced by users.

Input validation and sanitization

Validate fields to accept only the expected format. For a redirect originating path, prefer strict rules (for example, a path or a hostname). In Laravel Form Request validation you can require safe character sets or use built‑in url/path validators.

// Example Laravel Request rules (simplified)
public function rules()
{
    return [
        // If "from" should be a path, restrict to allowed chars and length
        'from' => ['required', 'string', 'max:255', 'regex:/^[A-Za-z0-9\-\/_\.]+$/'],
        // If "to" must be a URL:
        'to' => ['required', 'url', 'max:2048'],
    ];
}

Explanation: These rules ensure that stored values conform to expected formats and reduce the chance of storing dangerous markup. Tailor regex to the exact allowed syntax for your application.

Sanitization when HTML is required

If the application legitimately accepts limited HTML, use a robust sanitizer (e.g., HTML‑Purifier or a well‑maintained sanitization library) and apply a white‑list policy rather than trying to strip tags with ad‑hoc regex.

// PHP example using HTMLPurifier (conceptual)
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$safeHtml = $purifier->purify($userProvidedHtml);

Explanation: HTMLPurifier removes or neutralizes dangerous tags and attributes, producing a safe subset of HTML. Use server‑side sanitization when accepting HTML input.

Additional runtime mitigations

  • Set a strict Content‑Security‑Policy (CSP) that disallows inline scripts and only allows scripts from trusted origins (use nonce or hash for trusted inline code if needed).
  • Enable HTTP security headers: X‑Content‑Type‑Options: nosniff, X‑Frame‑Options, Referrer‑Policy, and Strict‑Transport‑Security (HSTS).
  • Scope admin interfaces to trusted IPs or require MFA for admin logins to reduce exposure.
// Example CSP header to reduce impact of XSS (conceptual)
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';

Explanation: This CSP blocks script execution from untrusted sources and prevents many classes of injection from translating into full exploitation. It is a defense‑in‑depth control, not a substitute for proper escaping.

Recommended remediation steps

  • Upgrade PyroCMS to the latest patched release that includes the fix.
  • Audit the admin views and templates for any raw output constructs and replace them with escaped output.
  • Apply input validation and sanitize stored content where necessary.
  • Perform a targeted security review of any other admin modules that accept and render user input (files, settings, content editors).
  • Deploy CSP and other security headers, and require strong authentication (MFA) for admin accounts.

Detection after remediation

  • Re‑scan the application with DAST tools configured to test stored injection vectors.
  • Conduct manual code reviews for templating constructs that output data without escaping.
  • Perform penetration tests in a staging environment with realistic admin workflows to validate fixes.

Responsible disclosure & lifecycle considerations

Organizations maintaining PyroCMS or sites running affected versions should treat admin‑facing XSS as high priority. Coordinate patch deployment with change control, notify stakeholders, and rotate credentials for admin users if you suspect compromise. Maintain an up‑to‑date security policy for reporting and fixing vulnerabilities.

References & further reading

Topic Why it helps
Output Encoding (OWASP) Guidance on encoding untrusted data for different HTML contexts.
Content Security Policy Browser controls that limit script sources and reduce XSS impact.
HTML Sanitizers (HTMLPurifier) Server‑side sanitization for applications that must accept HTML.