This post was edited 2021-06-07 at 20:50 UTC to include a full write-up of the security incident. The original announcement is still available at the bottom of this post.
If you have not yet updated to v1.0.2 or later, do so immediately. The details of the vulnerability are public, and your forum could be maliciously exploited.
Affected versions:
- v1.0.0 - ⚠️ Affected
- v1.0.1 - ⚠️ Affected
- <= v0.1.0-beta.16 - ✅ Not affected
Upgrade instructions:
# Update to latest version
composer update --prefer-dist --no-dev -a -W
# Verify that you're on v1.0.2
composer show flarum/core
# Clear cache
php flarum cache:clear
Preface
On Saturday 5 June 2021 at 23:02 UTC, I (@davwheat) discovered a critical cross-site scripting (XSS) vulnerability in Flarum core, affecting versions v1.0.0 and v1.0.1.
This vulnerability related to the handling of variables passed to core's translator, and the possible conversion of strings into HTML DOM nodes.
The details of this vulnerability were disclosed on the Flarum Discord's #devs-security channel at 23:05 UTC (3 mins after discovery). The vulnerability's CVE score was 10.0, which is the highest CVE score possible.
The vulnerability was initially found while performing some local testing on an unrelated area of core's code, before noticing that HTML strings entered into the search box would be parsed and inserted into the DOM as HTML instead of text.
This was patched through a combination of efforts from multiple developers, and swiftly pushed to core's master branch at 01:47 UTC the next day (2021-06-06). Matt ( @tankerkiller125) manually pushed the update to demo.flarum.site and nightly.flarum.site for testing purposes and to patch the vulnerability. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.0.2 at 02:26 UTC.
Posts were made on Discuss involving the creation a new discussion (https://discuss.flarum.org/d/27558) and posts on the v1.0.0 and v1.0.1 release discussions. Jordan (@jordanjay29) sent an announcement in Discord a few minutes later at 02:32 UTC.
What caused the vulnerability?
Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made between v0.1.0-beta.16 and v1.0.0 and was not noticed or documented.
This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, resulting in a CVE score of 10, the highest possible. See the CVSS score breakdown.
A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57. We have been issued with a CVE (CVE-2021-32671) that will be published on the official CVE list at mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32671
CVSS breakdown
Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.
Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.
User interaction: none
The example that led to the discovery of this vulnerability does require user interaction: a malicious link must be clicked and then the search box must be entered. However, we believe there is a high chance that it may be possible to perform an attack due to this vulnerability without any user interaction
Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.
Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.
Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.
Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.
How was the vulnerability fixed?
When passing variables to the translator, we now perform some extra checks.
Now, if the passed variable is a string, we will wrap it in a Mithril fragment (a VDOM node that does not get converted into an actual node when rendered), and then use that instead. Mithril will ensure that the contents of this fragment are rendered as a string only, and not as HTML markup.
For more info, please see the commit that fixes this vulnerability: flarum/core440bed8
What did we do right?
The quick disclosure and reaction time of multiple developers allowed for the rapid patching of core. This vulnerability was patched in 3 hours and 24 minutes, which is incredible.
All available members of the core team dropped what they were working on to patch the vulnerability together. Over 630 messages were sent between developers, QA testers and the Foundation board members during the discovery, verification and patching of this vulnerability. We couldn't have asked for anything more from the entire Flarum team when we needed them.
What could we improve?
At the time of the discovery, no online developers had the ability to draft a security disclosure on GitHub. This would have provided us with a secure way to attempt to develop a patch together and review the code more easily. Instead, we needed to send screenshots of code and write suggestions in Discord. This also meant we could only easily test the patch on one device (mine) before pushing to master and then testing on other deployments.
How can we prevent this happening again?
Our rich text formatter is currently located outside of the Flarum organisation. This package was developed independently from the Flarum team, so code reviews by multiple core developers never took place. Despite this, however, our organisation code reviews often look more closely at code style, correctness and readability as opposed to searching for all possible exploits.
This vulnerability was discovered purely by luck. There is no telling how long this could have remained in Flarum if it was not caught. We need to work towards having Javascript tests as standard for Flarum core. We currently have PHP tests which check that users cannot perform dangerous actions if they do not have permission, but we don't have any way to automatically check the forum frontend for possible vulnerabilities and bugs. This would be extremely helpful for future release cycles, bug detection and vulnerability scanning.
Original announcement
Recently we released a critical security fix for Flarum core. We urge all forums running versions v1.0.0 and v1.0.1 to update immediately to v1.0.2.
Affected versions
- v1.0.0 - ⚠️ Affected
- v1.0.1 - ⚠️ Affected
- <= v0.1.0-beta.16 - ✅ Not affected
Impact
This critical vulnerability allows any user to perform a cross-site scripting (XSS) attack, which could result in escalation of privilege and denial of service for forums running the affected versions.
We estimate this to have a CVE score of 10, which is the highest possible severity.
Full details will be available in the near future as forums running on affected versions update.
Patches
All forums running Flarum core v1.0.0 or v1.0.1 should immediately update to v1.0.2.
References
A security advisory has been published on GitHub detailing this vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57.
Full details will be available in the near future as forums running on affected versions update.
Credit
Thank you to @davwheat for identifying the vulnerability and providing the patch.
A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing security@flarum.org, and we will address it promptly.
You can find our full security policy on GitHub.
How to update
Update immediately to Flarum core v1.0.2.
# Update to latest version
composer update --prefer-dist --no-dev -a -W
# Verify that you're on v1.0.2
composer show flarum/core
# Clear cache
php flarum cache:clear
Follow-up
Full details will be available in the near future as forums running on affected versions update.
Support
As always, for support, please create a new discussion in the Support tag.
