Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32223
HistoryJun 14, 2015 - 12:00 a.m.

[KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

2015-06-1400:00:00
vulners.com
24

Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities

[-] Software Link:

https://www.concrete5.org/

[-] Affected Versions:

Version 5.7.3.1 and probably other versions.

[-] Vulnerabilities Description:

1) The vulnerable code is located in /concrete/views/panels/details/page/versions.php:

  1. <? foreach($_REQUEST['cvID'] as $cvID) {
  2.  $tabs[] = array&#40;&#39;view-version-&#39; . $cvID, t&#40;&#39;Version &#37;s&#39;, $cvID&#41;, $checked&#41;;
    
  3.  $checked = false;
    
  4. }
  5. print $ih->tabs($tabs);
  6. foreach($_REQUEST['cvID'] as $cvID) { ?>
  7. &lt;div id=&quot;ccm-tab-content-view-version-&lt;?=$cvID?&gt;&quot; style=&quot;display: &lt;?=$display?&gt;; ...
    
  8. ... &amp;amp;cID=&lt;?=$_REQUEST[&#39;cID&#39;]?&gt;&quot; /&gt;
    

User input passed through the "cvID" and "cID" request parameters is not properly sanitized before being used to
generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php:

  1. public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') {
  2. $selectedUID = 0;
    
  3. if &#40;isset&#40;$_REQUEST[$fieldName]&#41;&#41; {
    
  4.     $selectedUID = $_REQUEST[$fieldName];
    
  5. } else if &#40;$uID &gt; 0&#41; {
    
  6.     $selectedUID = $uID;
    
  7. }
    
  8. $html = &#39;&#39;;
    
  9. $html .= &#39;&lt;div class=&quot;ccm-summary-selected-item&quot;&gt;&lt;div class=&quot;ccm-summary-selected-item-inner&quot;&gt; ...
    
  10. if &#40;$selectedUID &gt; 0&#41; {
    
  11.     $ui = UserInfo::getByID&#40;$selectedUID&#41;;
    
  12.     $html .= $ui-&gt;getUserName&#40;&#41;;
    
  13. }
    
  14. $html .= &#39;&lt;/strong&gt;&lt;/div&gt;&#39;;
    
  15. $identifier = new &#92;Concrete&#92;Core&#92;Utility&#92;Service&#92;Identifier&#40;&#41;;
    
  16. $selector = $identifier-&gt;getString&#40;32&#41;;
    
  17. $html .= &#39;&lt;a class=&quot;ccm-sitemap-select-item&quot; data-form-user-selector=&quot;&#39; . $selector ...
    
  18. ... name=&quot;&#39; . $fieldName . &#39;&quot; value=&quot;&#39; . $selectedUID . &#39;&quot;&gt;&#39;;
    
  19. $html .= &#39;&lt;/div&gt;&#39;;
    

User input passed through the "uID" request parameter is not properly sanitized before being used to generate
HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

3) The vulnerable code is located in /concrete/elements/group/search.php:

  1. $searchRequest = $_REQUEST;
  2. $result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject());
  3. $tree = GroupTree::get();
  4. $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID);
  5. $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID);
  6. ?>
  7. <style type="text/css">
  8. div[data-search=groups] form.ccm-search-fields {
    
  9.     margin-left: 0px !important;
    
  10. }
    
  11. </style>
  12. <div data-search="groups">
  13. <script type="text/template" data-template="search-form">
  14. <form role="form" data-search-form="groups" action="<?=URL::to('/ccm/system/search/groups/submit')?>" …
  15. &lt;input type=&quot;hidden&quot; name=&quot;filter&quot; value=&quot;&lt;?php echo $searchRequest[&#39;filter&#39;]?&gt;&quot; /&gt;
    

User input passed through the "filter" request parameter is not properly sanitized before being used to generate
HTML output at line 20. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

4) User input passed through the "msCountry" POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon
is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected
Cross-Site Scripting (XSS) attacks.

5) User input passed through the "pageURL" POST parameter to /index.php/dashboard/pages/single is not properly sanitized
before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

6) The vulnerable code is located in /concrete/attributes/select/form.php:

  1. $vals = $this->post('atSelectNewOption');
  2. if (is_array($vals)) {
  3. foreach&#40;$vals as $v&#41; { ?&gt;
    
  4.     &lt;div class=&quot;newAttrValue&quot;&gt;
    
  5.         &lt;?=$form-&gt;hidden&#40;$this-&gt;field&#40;&#39;atSelectNewOption&#39;&#41; . &#39;[]&#39;, $v&#41;?&gt;
    
  6.         &lt;span class=&quot;badge&quot;&gt;&lt;?php echo $v?&gt;&lt;/span&gt;
    

User input passed through the "atSelectNewOption" POST parameter is not properly sanitized before being used to
generate HTML output at line 60. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.

[-] Solution:

Update to version 5.7.4 or later.

[-] Disclosure Timeline:

[05/05/2015] - Vulnerabilities details sent through HackerOne
[05/05/2015] - Vendor said that two vulnerabilities were already fixed in development
[07/05/2015] - Version 5.7.4 released along with the patch for these vulnerabilities
[06/06/2015] - Vulnerabilities publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to these vulnerabilities yet.

[-] Credits:

Vulnerabilities discovered by Egidio Romano of Minded Security.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-02

[-] Other References:

https://hackerone.com/reports/59661