Jan 24, 2018

Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected )

Advertisement



Reflected XSS + Possible Server Side Template Injection  in HubSpot CMS 

( more than 1000 Websites Uses HubSpot was affected )

It was first good bug while I was testing for bugs in a website I found this Path /_hcms/ so this mean that controlled by Hubspot service ..

I was found in this path /_hcms/cta


The affected Parameter was ?referrerUrl=


First Possible Server Side template injection : 


Server-side template injection occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.

URL encoded GET input referrerUrl was set to {{7*7}}

The response contained the result of the evaluated expression: 49
I tried to exploit it by jinja  Injection But I failed  
I got 


Or
 Illegal character in query at index 81:


Now Great XSS



By help from Frans Rosén He could Break out the element 


By this Payload 
{%25+macro+field(x)+%25}{{x}}+<b>ok</b>{%25+endmacro+%25}{{+field(1)%7curlize+}}


Example : 
{%25+macro+field(x)+%25}{{x}}+<b>ok</b>{%25+endmacro+%25}{{+field(1)%7curlize+}}

Then The XSS Payload was Coool 

{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}











Some affected Websites : 

www.hubspot.com
blog.bugcrowd.com
cashflows.com
pages.bugcrowd.com
www.itbit.com

And more than 1000+ Websites 








Report Status : 22/1/2018

HubSpot_Security changed the priority to P2
HubSpot_Security rewarded 20 points to you
HubSpot_Security changed the state to Resolved 
                                 23/1/2018

Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

2 comments: