Modern Campus - Omni CMS

CVE-2023-35858, CVE-2023-35859, CVE-2023-35860

Introduction:

A Content Management System (CMS) is a software application or platform that allows users to create, manage, and organize digital content, typically for websites and online applications. These programs are designed to simplify the process of publishing content on the internet, enabling users with little to no technical knowledge to create and maintain websites or web-based applications easily. Modern Campus OmniCMS is specifically designed to meet the unique CMS needs of Higher Education organizations.

The MITRE Common Vulnerabilities and Exposures (CVE) program is a widely recognized and respected initiative that focuses on identifying and standardizing the names and definitions of publicly known software vulnerabilities. This program aims to provide a common language and framework for discussing and sharing information about security vulnerabilities in software systems and applications.

During a penetration test for one of our clients, RedLens InfoSec discovered several significant vulnerabilities within version 2023.1 of the ModernCampus OmniCMS platform. The technical details of the discovered vulnerabilities were provided to the Modern Campus technical support team for remediation and the MITRE Common Vulnerabilities and Exposures (CVE) program2 for tracking. A short description of the discovered vulnerabilities follows:

• CVE-2023-35858: XPath Injection vulnerabilities in the blog and RSS functions of Modern Campus - Omni CMS 2023.¹ allow a remote, unauthenticated attacker to obtain application information.
• CVE-2023-35859: A Reflected Cross-Site Scripting (XSS) vulnerability in the blog function of Modern Campus - Omni CMS 2023.¹ allows a remote attacker to inject arbitrary scripts or HTML via multiple parameters.
• CVE-2023-35860: A Directory Traversal vulnerability in Modern Campus - Omni CMS 2023.¹ allows a remote, unauthenticated attacker to enumerate file system information via the dir parameter to listing.php or rss.php.

Recommendation:

Modern Campus OmniCMS is a remotely managed platform. The identified vulnerabilities were remediated for all clients on 7/13/2023, with the introduction of patch 2023.²

CVE-2023-35858: XPath Injection vulnerabilities in the blog and RSS functions of Modern Campus - Omni CMS 2023.1 allow a remote, unauthenticated attacker to obtain application information.

Impact

XML Path Language (XPath) queries are used by web applications for selecting nodes from XML documents. Once selected, the values stored in these nodes can then be used by the application. A malicious actor can use the differential analysis of the results of select built in functions to enumerate the X-path version in use.

1 https://moderncampus.com/products/web-content-management.html

2 https://www.cve.org/

Figure 1 – XPath Error Message

The payload below uses built-in XPath functions to evaluate false for all records. No results are returned:

Figure 2 – False XPath Built-in Expression

The payload below uses built-in XPath functions to evaluate true for all records. All available results are returned:

Figure 3 – XPath Built-in True Expression

The XPath built-in function “lower-case” was incorporated into XPath version 2.0. The “function not found” error below indicates XPath 1.0 is in use:

Figure 4 – XPath Built-in Function Version Enumeration

CVSS 3.1 Vulnerability Score – 5.3

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1

CVE-2023-35859: A Reflected Cross-Site Scripting (XSS) vulnerability in the blog function of Modern Campus - Omni CMS 2023.1 allows a remote attacker to inject arbitrary scripts or HTML via multiple parameters.

Impact

When an application is affected by a Reflected Cross Site Scripting vulnerability, it allows for an attacker to include an attacker-controlled script in a URL and send it to another user. Once the user navigates to that URL, the script will execute in the user's browser (within the context of that user's session) and carry out any scripted actions:

Figure 8 – Cross Site Scripting Example

CVSS 3.1 Vulnerability Score – 6.1

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N&version=3.1

CVE-2023-35860: A Directory Traversal vulnerability in Modern Campus - Omni CMS 2023.1 allows a remote, unauthenticated attacker to enumerate file system information via the dir parameter to listing.php or rss.php.

Impact

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, a remote attacker can enumerate the structure of the underlying filesystem:

Figure 6 – Malicious Payloaad Supplied in the path Parameter

Enumerating the root directory provides a listing of all files present on the server:

Figure 7 – Example Results from Enumerating the Filesystem

CVSS 3.1 Vulnerability Score – 5.8

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N&version=3.1