Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0 Advisory ID: SROEADV-2015-02 Author: Steffen Rösemann Affected Software: CMS Croogo v.2.20 Vendor URL: https://croogo.org Vendor Status: solved CVE-ID: -
========================== Vulnerability Description: ========================== The filemanager functionality in the administrative backend of CMS Croogo v. 2.2.0 is prone to reflecting XSS attacks. ================== Technical Details: ================== The filemanager of a common Croogo installation is located here: http:// {TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json By appending arbitrary HTML- and/or JavaScriptcode to existing filenames, it gets rendered in the generated webpage. It seems not to be working by appending code to existing directory names. Exploit-Example: http://{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json<script>alert("XSS in filemanager functionality of CMS Croogo 2.2.0")</script><!-- ========= Solution: ========= Update to Croogo v.2.2.1. ==================== Disclosure Timeline: ==================== 03-Jan-2015 – found the vulnerability 03-Jan-2015 - informed the developers by opening an issue on Github (see https://github.com/croogo/croogo/issues/599) 03-Jan-2015 – release date of this security advisory [without technical details] 12-Jan-2015 - fix by vendor (v. 2.2.1) 12-Jan-2015 - release date of this security advisory 12-Jan-2015 - send to lists ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] https://croogo.org [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-02.html [3] https://github.com/croogo/croogo/issues/599 [4] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-02.html _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/