FeehiCMS version 2.1.1 - Reverse Tabnabbing due to Improper Security Attributes Configured for External Links #76
Description
[ Reverse Tabnabbing due to Improper Security Attributes Configured for External Links]
Severity Score: Medium
CVSS Score: 4.6 Medium, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Description
The external links with target="_blank" enabled were not enforced with rel="noopener noreferrer" security attributes allows exploitation via Reverse Tabnabbing, an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
Impact
Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks.
POC
Login as a backend user. Navigate to the Comments Management function. Update the comments with links.
POST /admin/index.php?r=comment%2Fupdate&id=10 HTTP/1.1
Host: localhost:8081
Content-Length: 411
Cache-Control: max-age=0
sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8081
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost:8081/admin/index.php?r=comment%2Fupdate&id=10
Accept-Encoding: gzip, deflate, br
Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D
Connection: keep-alive_csrf_backend=0-H_WmMyQVhVg0P22we_Dk_pRRoFjJp6Qzw1u06cvkW6jIYpUFETATzJGryXY4w4IMQCTEa0wAszD3jXfcjHPA%3D%3D&Comment%5Bnickname%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bcontent%5D=aaa&Comment%5Bwebsite_url%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bip%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bstatus%5D=&Comment%5Bstatus%5D=1
Observe that the external links were not configured with rel="noopener noreferrer" security attributes.
Remediation
- Enforce rel="noopener noreferrer" security attributes for each external links within the applications.