[KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site- Scripting Vulnerabilities

From: Egidio Romano <research@karmainsecurity.com>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Cc:
Subject: [KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site- Scripting Vulnerabilities
Date:


----------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
----------------------------------------------------------------------------


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1 and probably other versions.


[-] Vulnerabilities Description:

1) The vulnerable code is located in /concrete/views/panels/details/page/versions.php:

5.  <? foreach($_REQUEST['cvID'] as $cvID) {
6.      $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);
7.          $checked = false;
8.    }
9.        print $ih->tabs($tabs);
10.    foreach($_REQUEST['cvID'] as $cvID) { ?>
11. 
12.            <div id="ccm-tab-content-view-version-<?=$cvID?>" style="display: <?=$display?>; ...
13.            ... &amp;cID=<?=$_REQUEST['cID']?>" />

User input passed through the "cvID" and "cID" request parameters is not properly sanitized before being used to
generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php:

17.    public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') {
18.        $selectedUID = 0;
19.       if (isset($_REQUEST[$fieldName])) {
20.         $selectedUID = $_REQUEST[$fieldName];
21.       } else if ($uID > 0) {
22.         $selectedUID = $uID;
23.        }
24.   
25.            $html = '';
26.           $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-selected-item-inner"> ...
27.         if ($selectedUID > 0) {
28.                $ui = UserInfo::getByID($selectedUID);
29.          $html .= $ui->getUserName();
30.           }
31.       $html .= '</strong></div>';
32.       $identifier = new \Concrete\Core\Utility\Service\Identifier();
33.          $selector = $identifier->getString(32);
34.            $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector ...
35.           ... name="' . $fieldName . '" value="' . $selectedUID . '">';
36.         $html .= '</div>';

User input passed through the "uID" request parameter is not properly sanitized before being used to generate
HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

3) The vulnerable code is located in /concrete/elements/group/search.php:

4.   $searchRequest = $_REQUEST;
5.      $result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject());
6.        $tree = GroupTree::get();
7.        $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
8.   $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
9. ?>
10. 
11.        <style type="text/css">
12.         div[data-search=groups] form.ccm-search-fields {
13.            margin-left: 0px !important;
14.        }
15.   </style>
16.      
17.        <div data-search="groups">
18.  <script type="text/template" data-template="search-form">
19. <form role="form" data-search-form="groups" action="<?=URL::to('/ccm/system/search/groups/submit')?>" ...
20.            <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />

User input passed through the "filter" request parameter is not properly sanitized before being used to generate
HTML output at line 20. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

4) User input passed through the "msCountry" POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon
is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected
Cross-Site Scripting (XSS) attacks.

5) User input passed through the "pageURL" POST parameter to /index.php/dashboard/pages/single is not properly sanitized
before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

6) The vulnerable code is located in /concrete/attributes/select/form.php:

55.    $vals = $this->post('atSelectNewOption');
56.        if (is_array($vals)) {
57.      foreach($vals as $v) { ?>
58.              <div class="newAttrValue">
59.              <?=$form->hidden($this->field('atSelectNewOption') . '[]', $v)?>
60.                <span class="badge"><?php echo $v?></span>

User input passed through the "atSelectNewOption" POST parameter is not properly sanitized before being used to
generate HTML output at line 60. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.


[-] Solution:

Update to version 5.7.4 or later.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerabilities details sent through HackerOne
[05/05/2015] - Vendor said that two vulnerabilities were already fixed in development
[07/05/2015] - Version 5.7.4 released along with the patch for these vulnerabilities
[06/06/2015] - Vulnerabilities publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to these vulnerabilities yet.


[-] Credits:

Vulnerabilities discovered by Egidio Romano of Minded Security.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-02


[-] Other References:

https://hackerone.com/reports/59661





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.