[-] Software Link:
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerabilities Description:
1) The vulnerable code is located in /concrete/views/panels/details/page/versions.php:
$tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked);
$checked = false;
<div id="ccm-tab-content-view-version-<?=$cvID?>" style="display: <?=$display?>; ...
... &amp;cID=<?=$_REQUEST['cID']?>" />
User input passed through the "cvID" and "cID" request parameters is not properly sanitized before being used to
generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php:
$selectedUID = 0;
if (isset($_REQUEST[$fieldName])) {
$selectedUID = $_REQUEST[$fieldName];
} else if ($uID > 0) {
$selectedUID = $uID;
}
$html = '';
$html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-selected-item-inner"> ...
if ($selectedUID > 0) {
$ui = UserInfo::getByID($selectedUID);
$html .= $ui->getUserName();
}
$html .= '</strong></div>';
$identifier = new \Concrete\Core\Utility\Service\Identifier();
$selector = $identifier->getString(32);
$html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector ...
... name="' . $fieldName . '" value="' . $selectedUID . '">';
$html .= '</div>';
User input passed through the "uID" request parameter is not properly sanitized before being used to generate
HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
3) The vulnerable code is located in /concrete/elements/group/search.php:
div[data-search=groups] form.ccm-search-fields {
margin-left: 0px !important;
}
<input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" />
User input passed through the "filter" request parameter is not properly sanitized before being used to generate
HTML output at line 20. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
4) User input passed through the "msCountry" POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon
is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected
Cross-Site Scripting (XSS) attacks.
5) User input passed through the "pageURL" POST parameter to /index.php/dashboard/pages/single is not properly sanitized
before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
6) The vulnerable code is located in /concrete/attributes/select/form.php:
foreach($vals as $v) { ?>
<div class="newAttrValue">
<?=$form->hidden($this->field('atSelectNewOption') . '[]', $v)?>
<span class="badge"><?php echo $v?></span>
User input passed through the "atSelectNewOption" POST parameter is not properly sanitized before being used to
generate HTML output at line 60. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks.
[-] Solution:
Update to version 5.7.4 or later.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerabilities details sent through HackerOne
[05/05/2015] - Vendor said that two vulnerabilities were already fixed in development
[07/05/2015] - Version 5.7.4 released along with the patch for these vulnerabilities
[06/06/2015] - Vulnerabilities publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to these vulnerabilities yet.
[-] Credits:
Vulnerabilities discovered by Egidio Romano of Minded Security.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2015-02
[-] Other References: