---------------------------------------------------------------------------- Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities ---------------------------------------------------------------------------- [-] Software Link: https://www.concrete5.org/ [-] Affected Versions: Version 5.7.3.1 and probably other versions. [-] Vulnerabilities Description: 1) The vulnerable code is located in /concrete/views/panels/details/page/versions.php: 5. <? foreach($_REQUEST['cvID'] as $cvID) { 6. $tabs[] = array('view-version-' . $cvID, t('Version %s', $cvID), $checked); 7. $checked = false; 8. } 9. print $ih->tabs($tabs); 10. foreach($_REQUEST['cvID'] as $cvID) { ?> 11. 12. <div id="ccm-tab-content-view-version-<?=$cvID?>" style="display: <?=$display?>; ... 13. ... &cID=<?=$_REQUEST['cID']?>" /> User input passed through the "cvID" and "cID" request parameters is not properly sanitized before being used to generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php: 17. public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') { 18. $selectedUID = 0; 19. if (isset($_REQUEST[$fieldName])) { 20. $selectedUID = $_REQUEST[$fieldName]; 21. } else if ($uID > 0) { 22. $selectedUID = $uID; 23. } 24. 25. $html = ''; 26. $html .= '<div class="ccm-summary-selected-item"><div class="ccm-summary-selected-item-inner"> ... 27. if ($selectedUID > 0) { 28. $ui = UserInfo::getByID($selectedUID); 29. $html .= $ui->getUserName(); 30. } 31. $html .= '</strong></div>'; 32. $identifier = new \Concrete\Core\Utility\Service\Identifier(); 33. $selector = $identifier->getString(32); 34. $html .= '<a class="ccm-sitemap-select-item" data-form-user-selector="' . $selector ... 35. ... name="' . $fieldName . '" value="' . $selectedUID . '">'; 36. $html .= '</div>'; User input passed through the "uID" request parameter is not properly sanitized before being used to generate HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 3) The vulnerable code is located in /concrete/elements/group/search.php: 4. $searchRequest = $_REQUEST; 5. $result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject()); 6. $tree = GroupTree::get(); 7. $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); 8. $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); 9. ?> 10. 11. <style type="text/css"> 12. div[data-search=groups] form.ccm-search-fields { 13. margin-left: 0px !important; 14. } 15. </style> 16. 17. <div data-search="groups"> 18. <script type="text/template" data-template="search-form"> 19. <form role="form" data-search-form="groups" action="<?=URL::to('/ccm/system/search/groups/submit')?>" ... 20. <input type="hidden" name="filter" value="<?php echo $searchRequest['filter']?>" /> User input passed through the "filter" request parameter is not properly sanitized before being used to generate HTML output at line 20. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 4) User input passed through the "msCountry" POST parameter to /index.php/dashboard/system/multilingual/setup/load_icon is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 5) User input passed through the "pageURL" POST parameter to /index.php/dashboard/pages/single is not properly sanitized before being used to generate HTML output. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 6) The vulnerable code is located in /concrete/attributes/select/form.php: 55. $vals = $this->post('atSelectNewOption'); 56. if (is_array($vals)) { 57. foreach($vals as $v) { ?> 58. <div class="newAttrValue"> 59. <?=$form->hidden($this->field('atSelectNewOption') . '[]', $v)?> 60. <span class="badge"><?php echo $v?></span> User input passed through the "atSelectNewOption" POST parameter is not properly sanitized before being used to generate HTML output at line 60. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. [-] Solution: Update to version 5.7.4 or later. [-] Disclosure Timeline: [05/05/2015] - Vulnerabilities details sent through HackerOne [05/05/2015] - Vendor said that two vulnerabilities were already fixed in development [07/05/2015] - Version 5.7.4 released along with the patch for these vulnerabilities [06/06/2015] - Vulnerabilities publicly disclosed on HackerOne [11/06/2014] - CVE number requested [11/06/2014] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to these vulnerabilities yet. [-] Credits: Vulnerabilities discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-02 [-] Other References: https://hackerone.com/reports/59661