egix@karmainsecurity ~ $

Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

• Software Link:

https://www.concrete5.org

• Affected Versions:

Version 5.7.3.1 and probably other versions.

• Vulnerabilities Description:

  1. The vulnerable code is located in /concrete/views/panels/details/page/versions.php:
 5<? foreach($_REQUEST['cvID'] as $cvID) {
 6    $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);
 7    $checked = false;
 8} 
 9print $ih->tabs($tabs);          
10foreach($_REQUEST['cvID'] as $cvID) { ?>
11 
12    <div id="ccm-tab-content-view-version-<?=$cvID?>" style="display: <?=$display?>; height: 100%">
13    <iframe border="0" id="v<?=time()?>" frameborder="0" height="100%" width="100%" src="<?=REL_DIR_FILES_TOOLS_REQUIRED?>/pages/preview_version?cvID=<?=$cvID?>&amp;cID=<?=$_REQUEST['cID']?>" />

User input passed through the “cvID” and “cID” request parameters is not properly sanitized before being used to generate HTML output at lines 6 and 13. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

  1. The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php:
17public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') {
18    $selectedUID = 0;
19    if (isset($_REQUEST[$fieldName])) {
20        $selectedUID = $_REQUEST[$fieldName];
21    } else if ($uID > 0) {
22        $selectedUID = $uID;
23    }
24 
25    $html = '';
26    $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-selected-item-inner"><strong class="ccm-summary-selected-item-label">';
27    if ($selectedUID > 0) {
28        $ui = UserInfo::getByID($selectedUID);
29        $html .= $ui->getUserName();
30    }
31    $html .= '</strong></div>';
32    $identifier = new \Concrete\Core\Utility\Service\Identifier();
33    $selector = $identifier->getString(32);
34    $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector . '" dialog-append-buttons="true" dialog-width="90%" dialog-height="70%" dialog-modal="false" dialog-title="' . t('Choose User') . '" href="' . URL::to('/ccm/system/dialogs/user/search') . '">' . t('Select User') . '</a>';
35    $html .= '<input type="hidden" data-form-user-selector-input="' . $selector . '" name="' . $fieldName . '" value="' . $selectedUID . '">';
36    $html .= '</div>';

User input passed through the “uID” request parameter is not properly sanitized before being used to generate HTML output at line 35. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

  1. The vulnerable code is located in /concrete/elements/group/search.php:
 4$searchRequest = $_REQUEST;
 5$result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject());
 6$tree = GroupTree::get();
 7$guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
 8$registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
 9?>
10 
11<style type="text/css">
12    div[data-search=groups] form.ccm-search-fields {
13        margin-left: 0px !important;
14    }
15</style>
16 
17<div data-search="groups">
18<script type="text/template" data-template="search-form">
19<form role="form" data-search-form="groups" action="<?=URL::to('/ccm/system/search/groups/submit')?>" class="form-inline ccm-search-fields ccm-search-fields-none">
20    <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />

User input passed through the “filter” request parameter is not properly sanitized before being used to generate HTML output at line 20. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

  1. User input passed through the “msCountry” POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon is not properly sanitized before being used to generate HTML output. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

  2. User input passed through the “pageURL” POST parameter to /index.php/dashboard/pages/single is not properly sanitized before being used to generate HTML output. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

  3. The vulnerable code is located in /concrete/attributes/select/form.php:

55$vals = $this->post('atSelectNewOption');
56if (is_array($vals)) {
57    foreach($vals as $v) { ?>
58        <div class="newAttrValue">
59            <?=$form->hidden($this->field('atSelectNewOption') . '[]', $v)?>
60            <span class="badge"><?php echo $v?></span>

User input passed through the “atSelectNewOption” POST parameter is not properly sanitized before being used to generate HTML output at line 60. This can be exploited to conduct Reflected Cross-Site Scripting (XSS) attacks.

• Solution:

Update to version 5.7.4 or later.

• Disclosure Timeline:

[05/05/2015] – Vulnerabilities details sent through HackerOne

[05/05/2015] – Vendor said that two vulnerabilities were already fixed in development

[07/05/2015] – Version 5.7.4 released along with the patch for these vulnerabilities

[06/06/2015] – Vulnerabilities publicly disclosed on HackerOne

[11/06/2015] – CVE number requested

[11/06/2015] – Publication of this advisory

[23/06/2015] – CVE number assigned

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-4721 to these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano of Minded Security.

• Other References:

https://mindedsecurity.com/advisories/msa110615-2

https://hackerone.com/reports/59661