concrete5: Stored XSS vulnerability in RSS Feeds Description field

2017-07-11T00:24:36
ID H1:248133
Type hackerone
Reporter bl4de
Modified 2017-08-18T16:21:30

Description

Intro

"Pirates of the Crayons"

Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. b54f2b451f0a0804699c4cf9f0b3a8fef0e407db (July 10th)

Summary

There is Stored XSS vulnerability in RSS Feeds Description property. Value of the textarea is not properly sanitized and malicious JavaScript code can be saved and executed every time user visits Feed screen.

Steps to reproduce

  • log in to concrete5 instance
  • go to RSS Feeds and click on Add Feed button
  • in feed Description textarea put following payload:

html Description </textarea> <script>alert('XSS!')</script>

{F201814}

  • click Add button

Now, select added feed from RSS Feeds list. JavaScript payload will execute.

{F201813}

Impact

Although this issue has no such big impact as previously reported by Corben Douglas (@sxcurity) report https://hackerone.com/reports/221380 (Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)) because it requires user to enter into feed edit form - this issue introduces internal attack vector on any concrete5 user as well.

Testing environment

System:

  • Concrete5 version 8.2.0 RC2, commit b54f2b451f0a0804699c4cf9f0b3a8fef0e407db (July 10th), installed localy
  • PHP ver. 5.6.30
  • Apache HTTP Server 2.4.25 for macOS
  • MySQL ver. 5.7.13 for macOS

This vulnerability was tested on macOS Sierra 10.12.5 with following browsers:

  • Chrome 59.0.3071.115
  • Chromium build 61.0.3131.0
  • Opera 46.0.2597.32

Wrap up

I hope my report will help keep Concrete5 safe in the future.

Best Regards,

Rafal 'bl4de' Janicki