Fortinet’s FortiGuard Labs Discovers Multiple dotCMS Vulnerabilities

In June 2022, Fortinet's FortiGuard Labs discovered and reported four vulnerabilities in dotCMS—an Open Source Hybrid CMS built on Java technology that combines the flexibility of a headless CMS with the efficiency of traditional content authoring.

The vulnerabilities were found in versions 22.05 and below. At the time of the writing of this advisory, discovered issues have been fixed and updates published by the vendor. FortiGuard Labs appreciates the vendor’s quick response and timely fixes.

The following is a summary of the discovered vulnerabilities:

1. [FG-VD-22-062] Multiple Cross-Site Scripting in Admin portal
2. [FG-VD-22-063] XSSFilter mechanism bypass using urls with semi-colons
3. [FG-VD-22-076] Server-side Request Forgery redirection bypass in TempFileAPI
4. [FG-VD-22-077] Denial-of-Service by overloading temp file import

Vulnerability Details

FG-VD-22-062 Multiple Cross-Site Scripting in Admin portal

Multiple endpoints were found to be vulnerable to Cross-site Scripting (XSS) in the Admin portal. However, such XSS can be rendered harmless because dotCMS has a XSSFilter mechanism that helps prevent the exploitation of this vulnerability. While this default mechanism can be turned off via option XSS_PROTECTION_ENABLED=false, because the XSSFilter mechanism is enabled by default the vendor has concluded this XSS vulnerability to be a no-fix issue.

FG-VD-22-063 XSSFilter mechanism bypass using urls with semi-colons

The XSSFilter is an input sanitizer designed by the vendor to minimize XSS and Cross-Site Request Forgery (CSRF) vunerabilities in the administrator portal. Under the hood, dotCMS blocks direct access to all files under the administrative directories, e.g. /html, /dotAdmin, etc. But access to administrative directories will be granted if a valid Referer or Origin header is specified in an HTTP request. We successfully demonstrated how to bypass the XSSFilter by using Matrix Parameters, as described in this previous blog post, to initiate a XSS attack in the default config, leading to a critical compromise.

FG-VD-22-076 Server-side Request Forgery redirection bypass in TempFileAPI

On 14 December 2021, dotCMS released a fix for SI-60, which is a SSRF vulnerability in the dotCMS core TempFileAPI. However, the fix is incomplete and we successfully bypassed it by using a Redirection technique.

FG-VD-22-077 Denial-of-Service by overloading temp file import

Another issue is located in TempFileAPI when it tries to access and download the contents of remote URL. Directing it to access a heavy file using multiple requests at once results in memory exhaustion or DoS.

FortiPenTest against 0-days and N-days dotCMS vulnerabilities

In this section, we will demonstrate how a FortiPenTest customer could use FortiPenTest to detect whether their dotCMS instance is vulnerable. FortiPenTest is a Fortinet developed cloud-native penetration test tool based on common standards like the OWASP Top 10 list of application vulnerabilities. It is designed to use Fortinet’s extensive FortiGuard research results and knowledge base to test target systems for security vulnerabilities.

FortiPenTest uses an Exploit Engine that enables security practitioners to explore potential application vulnerabilities hosted on a target network and determine the exploitability of any applications found to be vulnerable. Our researchers used this tool to create the following signatures to identify dotCMS vulnerabilities:

• cve-2022-37431-dotcms-multiple-cross-site-scripting.fse
• cve-2022-35740-dotcms-xssfilter-bypass.fse
• cve-2022-37033-dotcms-server-side-request-forgery.fse
• cve-2022-37034-dotcms-denial-of-service.fse
  

If you are interested in knowing more about the features and benefits of FortiPenTest, check out the product page here.

Fortinet Protections

FortiGuard Labs released the following IPS signatures to cover all the vulnerabilities mentioned in this report:

• dotCMS.Core.XSSFilter.Bypass
• dotCMS.Portal.State.XSS        
• dotCMS.Portal.Frame.XSS      
• dotCMS.Portal.Structure.XSS 
• dotCMS.Portal.Lang.XSS        
• dotCMS.Portal.Index.XSS       
• dotCMS.Portal.TestQuery.XSS

Users are also strongly urged to apply the latest patched from the vendor: https://www.dotcms.com/docs/latest/current-releases.

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.