egix@karmainsecurity ~ $

Concrete5 <= 5.7.3.1 Multiple Cross-Site Request Forgeries Vulnerabilities

• Software Link:

https://www.concrete5.org

• Affected Versions:

Version 5.7.3.1 and probably other versions.

• Vulnerabilities Description:

Concrete5 implements a Synchronizer Token Pattern in order to provide anti-CSRF capabilities. However, the application fails to properly use this feature in every block or dashboard page which makes a system state change, such as settings modification. As a result, the application is vulnerable to some Cross-Site Request Forgery (CSRF) attacks:

  1. File Manager – Delete: an attacker might force an authenticated user to delete files from the File Manager by tricking the victim into browsing to a specially crafted web page.

  2. Public Registration Settings: an attacker might force an authenticated user to change the Public Registration Settings by tricking the victim into browsing to a specially crafted web page.

  3. Public Profiles Settings: an attacker might force an authenticated user to change the Public Profiles Settings by tricking the victim into browsing to a specially crafted web page.

  4. Authentication Types Settings: an attacker might force an authenticated user to enable or disable an authentication type, or change its settings by tricking the victim into browsing to a specially crafted web page.

  5. Community Points: an attacker might force an authenticated user to assign points to arbitrary users, or add, delete, and edit Community Points Actions by tricking the victim into browsing to a specially crafted web page.

  6. Translation Site Interface: an attacker might force an authenticated user to save arbitrary translation strings by tricking the victim into browsing to a specially crafted web page.

  7. Add / Remove Group: an attacker might force an authenticated user to add/remove an arbitrary user to/from a group by tricking the victim into browsing to a specially crafted web page.

  8. Community Connect: an attacker might force an authenticated user to change tokens used to connect to the marketplace by tricking the victim into browsing to a specially crafted web page.

• Solution:

Update to a fixed version.

• Disclosure Timeline:

[05/05/2015] – Vulnerabilities details sent through HackerOne

[02/10/2015] – CVE number requested

[28/12/2015] – Vendor said the vulnerabilities should be fixed in the upstream

[26/06/2016] – Vulnerabilities publicly disclosed on HackerOne

[28/06/2016] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano.

• Other References:

https://hackerone.com/reports/59660