SB2017011601 - Two vulnerabilities in b2evolution

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2017-5494)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when uploading .swf files for avatar and comments. A remote authenticated attacker can upload malicious .swf file, containing arbitrary JavaScript code and execute it in user's browser in context of vulnerable website, when the victim visits a page with uploaded file.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Directory traversal (CVE-ID: CVE-2017-5480)

The vulnerability allows a remote attacker to view arbitrary files on vulnerable system.

The vulnerability exists due to insufficient sanitization of user-supplied data passed "fm_selected" array parameter in "inc/files/files.ctrl.php" script. A remote authenticated attacker can use directory traversal sequences (e.g. ../) to view contents of arbitrary files on vulnerable system.

Successful exploitation of the vulnerability may allow an attacker to obtain sensitive ad system information.

Remediation

Install update from vendor's website.

References

• https://github.com/b2evolution/b2evolution/issues/34
• https://github.com/b2evolution/b2evolution/commit/261dbd5b294e707af766691e65a177a290314a6e
• https://github.com/b2evolution/b2evolution/issues/35
• https://github.com/b2evolution/b2evolution/commit/26841d9c81f27ad23b2f6e4bd5eaec7f2f58dfe0