CVE-2024-25399 - Subrion CMS 4.2.1 adminer.php XSS Vulnerability Explained with Examples

Subrion CMS is a popular open-source content management system written in PHP. In early 2024, a critical security flaw was discovered in version 4.2.1, tracked as CVE-2024-25399. This vulnerability allows attackers to run malicious JavaScript in your browser through a Cross Site Scripting (XSS) attack, specifically via adminer.php.

In this article, I’ll break down what CVE-2024-25399 is, why it’s dangerous, how attackers can exploit it, and how you can protect your Subrion CMS sites.

1. What Is CVE-2024-25399?

CVE-2024-25399 is a Stored/Reflected XSS vulnerability found in the file adminer.php of Subrion CMS 4.2.1. More simply, it means an attacker can make your website serve up their dangerous JavaScript code -- which can steal cookies, hijack sessions, or deface your admin panel.

Where’s the Weakness?

Subrion included a copy of Adminer, a database management tool, in their admin backend. Unfortunately, in Subrion 4.2.1, adminer.php did not properly filter or sanitize user input. This flaw allows an attacker to inject JavaScript using a specially crafted URL.

Attack vector: A URL like this

http(s)://[target-site]/adminer.php?username=<script>alert('XSS')</script>

In the vulnerable adminer.php, user input like $_GET['username'] is used directly in HTML

<!-- A simplified example -->
<input type="text" name="username" value="<?php echo $_GET['username']; ?>">

If you visit

/adminer.php?username="><script>alert('XSS')</script>

It renders

<input type="text" name="username" value=""><script>alert('XSS')</script>

— so the browser runs the script.

Here’s a very simple PoC

<!-- Save this as xss-test.html and open it -->
<a href="http://target-site.com/adminer.php?username=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E">;
  Click me to test XSS in Subrion!
</a>

When clicked (while logged-in to the admin area), the alert will pop up if the site is vulnerable.

5. Original References

- CVE-2024-25399 at NVD
- Exploit-DB 52285: Subrion 4.2.1 - Cross Site Scripting in adminer.php
- Subrion GitHub repository

If you use Subrion CMS 4.2.1

1. Remove/Restrict adminer.php:

Delete the adminer.php file if not needed. Never expose it publicly.

2. Patch/Update:

Developers: Always escape variables going into HTML.

For Developers:

Use PHP's htmlspecialchars() on all user input

<input type="text" name="username" value="<?php echo htmlspecialchars($_GET['username']); ?>">

7. Conclusion

CVE-2024-25399 is a real threat to any Subrion 4.2.1 setup. Don’t dismiss XSS as harmless—your admin accounts and website data may be at risk.

Update, remove the Adminer tool, and never trust user input.

Let’s keep the web safer—share this with anyone running Subrion or using Adminer!

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 11/21/2024 09:00:44 UTC