cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon liufee

FeehiCMS version 2.1.1 - Reverse Tabnabbing due to Improper Security Attributes Configured for External Links

Open kiwi865 opened this issue 3 months ago • 0 comments

[ Reverse Tabnabbing due to Improper Security Attributes Configured for External Links]

Severity Score: Medium

CVSS Score: 4.6 Medium, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Description

The external links with target="_blank" enabled were not enforced with rel="noopener noreferrer" security attributes allows exploitation via Reverse Tabnabbing, an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially if the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.

Impact

Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks.

POC

Login as a backend user. Navigate to the Comments Management function. Update the comments with links.

Image

POST /admin/index.php?r=comment%2Fupdate&id=10 HTTP/1.1 Host: localhost:8081 Content-Length: 411 Cache-Control: max-age=0 sec-ch-ua: "Not=A?Brand";v="24", "Chromium";v="140" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: http://localhost:8081 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost:8081/admin/index.php?r=comment%2Fupdate&id=10 Accept-Encoding: gzip, deflate, br Cookie: BACKEND_FEEHICMS=5440ac6b677107979c81bba2e1725e94; _csrf_backend=aa1a406cf3605aa65a70ffdc74b2d296fb53c6a3e287c4db4b55e5635b144f0ca%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22imys3cRYiJYJLd36o-GVC8Zqp3Ml3Tyy%22%3B%7D; PHPSESSID=26fb8e4f9ee735093815221c4fc419fe; _identity=36b1340757dfa97b272930f316919bab2d038b7d849034c6306a06aa8f16e92aa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22CDtE4877YiX55NQ_UTVXh8DhQ5TZjCKH%22%2C2592000%5D%22%3B%7D; _csrf=bb4f8d35c63f1529608814ced457ad3587f68ab334853e5bb2047aed56f7bbc1a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%223ZCnqhasM7_8OcwWLHzGTsw5PqXitHu-%22%3B%7D Connection: keep-alive

_csrf_backend=0-H_WmMyQVhVg0P22we_Dk_pRRoFjJp6Qzw1u06cvkW6jIYpUFETATzJGryXY4w4IMQCTEa0wAszD3jXfcjHPA%3D%3D&Comment%5Bnickname%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bcontent%5D=aaa&Comment%5Bwebsite_url%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bip%5D=http%3A%2F%2Fznq2el1xx3lcxr8if7us9x1uxl3cr2fr.oastify.com&Comment%5Bstatus%5D=&Comment%5Bstatus%5D=1

Observe that the external links were not configured with rel="noopener noreferrer" security attributes.

Image

Remediation

  1. Enforce rel="noopener noreferrer" security attributes for each external links within the applications.

kiwi865 avatar Oct 02 '25 18:10 kiwi865