ClickJacking to full compromise of OpenCMS
As part of our ongoing commitment to Open Source security Pentest Ltd conducted a research project into OpenCMS version 11.0.2. This found ten (10) vulnerabilities as described in Multiple Vulnerabilities in OpenCMS 11.0.2. These have all been patched in the most recent release (12.0.0).
Two vulnerabilities could allow remote and unauthenticated attackers to compromise OpenCMS. This post covers how to use ClickJacking to do so as demonstrated by the Video below:
What is ClickJacking?
ClickJacking is a form of “session riding” allowing an attacker to interact on the target site within the privileges of their victim. Successful exploitation requires the victim to visit a maliciously generated website while they are authenticated to the target site.
The user believes they are interacting only with the malicious site. However, they are also interacting with the target site without their knowledge. To achieve this the attacker includes the target site within an iframe which is invisible to the victim. No matter where the victim clicks the attacker ensures that the parts of the target site that are required for exploitation are underneath the user’s action.
ClickJacking techniques can:
- Click on any GUI element – allowing links to be followed, check boxes, radio buttons and forms to be submitted.
- Paste text into form fields – after selecting a text field it is possible to populate the field with text within the copy/paste.
Together these permit attackers to populate and submit forms which are not protected by CAPTCHA technology or requiring the current password.
ClickJacking is limited because it cannot read data from the Document Object Model (DOM) and is therefore said to be “blind”.
The impact is a loss of integrity for the user account (as actions cannot be verified to have come from users). The true impact assessment can only be made after evaluating what functionality is vulnerable and fully assessing the context.
For a general overview of ClickJacking please read reference .
OpenCMS 11.0.2 was vulnerable to ClickJacking because it had no defences to prevent it.
To confirm this the consultant created an HTML file which included this “iframe” tag:
To replicate this finding first authenticate as an “admin” level user. Save the above in a “.html” file and then open it in another tab within the same web browser.
The browser will include the target site within an iframe as demonstrated below:
Figure 1 – Sensitive Functions accessible within Iframes
Figure 2 – Saving JSP Files within an Iframe
The above functionality was available only to “admin” level users. They were not adequately protected from attack and both could allow the full compromise of the OpenCMS server.
Proof of Concept: Obtaining Admin Access
The PoC was generated to exploit the SQL console. To exploit this the victim must issue two interactions:
- Initiate a drag and drop which goes from the attacker’s site into the query console; then
- Click on the “Execute” button to submit the query.
The SQL query below was used as the payload. When executed this changes the password hash for the “Admin” user to “admin”:
UPDATE CMS_USERS SET USER_PASSWORD="$s0$e0801$AmdC2o/qA18zek6ENKpjpw==$nJqS+ZHFIAawhqNWx6rjeBnYnSzmDjzTC5ooIJWFX1o=" WHERE USER_NAME="Admin"
The attacker must convince the victim to interact with a website under their control. The exploit site used in the demonstration contained the HTML below:
Football is lost. Help it home!
If this was opened in a web browser by an authenticated “Admin” user it would appear as shown:
Figure 3 – ClickJacking Exploit Site
While crude this was a simple game asking the user to drag the ball into the goal. The attack worked because the image of the goal was in the background and there was an invisible iframe hidden in front of it. The following shows the same screen where the iframe was made visible:
Figure 4 – ClickJacking Page where the iframe was visible
The attacker required the victim to drag and then drop the ball anywhere within the red rectangle for their malicious query to be delivered. A second after the ball was dragged the UI updated to hide the ball and to display a prompt for the victim to claim their prize:
Figure 5 – ClickJacking step to click on “Execute” button
The SQL Query is executed when the “Claim Prize” button was clicked. This demonstrated the risk of ClickJacking against the unprotected SQL Console functionality. It is also possible to upload a web shell through the admin’s file upload function. However, that would require significantly more user interactions decreasing (but not removing) the chances of success.
Risk Category: High
CVSS: 8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Explanation: Due to the functionality that was available within the application (direct access to the database, and remote code execution via JSP) the risk posed by ClickJacking was “High”.
Implement ClickJacking defences by default for OpenCMS deployments. If users need to disable this then they should be warned about doing so before enabling them to have their sites embedded within an iframe.
For full details of the defences that are available please read reference . The following summarises those:
Add an HTTP response header as shown:
Content-Security-Policy: frame-ancestors 'none'
This prevents any origin framing the content. Review reference  for more permissive options.
Newer standard and is not supported in all major web browsers. X-Frame-Options take priority if present in Chrome & Firefox.
Add an HTTP response header as shown:
Again, review reference  for more permissive options.
Setting is required per page so every HTTP response must include the heading for full coverage.
• Best-for-now Legacy Browser Frame Breaking; or
• Window.confirm() protection
- Vulnerable in: OpenCMS 11.0.2
- Fixed in: 12.0.0
The application now used HTTP headers which prevented the site loading in an iframe, which removed the risk of ClickJacking.
HTTP/1.1 200 Content-Security-Policy: frame-ancestors 'self'; X-Frame-Options: SAMEORIGIN