[KIS-2016-09] Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities

Tue, 28 Jun 2016 10:05:50 -0700 

-------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities
-------------------------------------------------------------------------


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1 and probably other versions.


[-] Vulnerabilities Description:

1) User input passed through the "uEmail" and "uDefaultLanguage" POST 
parameters when registering
a new account is not properly sanitized before being used to generate HTML 
output. This can be
exploited by unauthenticated attackers to permanently store arbitrary script 
code within the Users
database table, which might be executed by an authenticated user while browsing 
to the users page.

NOTE: the "uDefaultLanguage" parameter cannot be longer than 32 characters, 
however this can
still be exploited by e.g. using a URL shortener service to include arbitrary 
script code (such
as <script src=//v.ht/x_s></script> which is exactly 32 characters).

2) The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/system/registration/open.php:

13.     public function update_registration_type()
14.     {
15.         if ($this->isPost()) {
16.             Config::save('concrete.user.registration.email_registration', 
($this->post('email_as_username') ? true : false));
17.             Config::save('concrete.user.registration.type', 
$this->post('registration_type'));
18.             Config::save('concrete.user.registration.captcha', 
($this->post('enable_registration_captcha')) ? true : false);
19.             switch ($this->post('registration_type')) {
20.                 case "enabled":
21.                     Config::save('concrete.user.registration.enabled', 
true);
22.                     
Config::save('concrete.user.registration.validate_email', false);
23.                     Config::save('concrete.user.registration.approval', 
false);
24.                     Config::save('concrete.user.registration.notification', 
$this->post('register_notification'));
25.                     Config::save(
26.                         'concrete.user.registration.notification_email',
27.                         Loader::helper('security')->sanitizeString(
28.                             $this->post('register_notification_email')));

User input passed through the "register_notification_email" POST parameter is 
not properly sanitized
before being stored into a configuration setting (the "sanitizeString()" method 
strips tags from the
string but not double quotes). This can be exploited by an authenticated 
attacker to permanently
store arbitrary script code within the database, which might be executed by 
another user while
browsing to the "Public Registration Settings" page.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "Public Registration Settings" 
page.

3) The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/system/registration/profiles.php:

11.     public function update_profiles() {
12.         if ($this->isPost()) {
13.             Config::save('concrete.user.profiles_enabled', 
($this->post('public_profiles')?true:false));
14.             Config::save('concrete.user.gravatar.enabled', 
($this->post('gravatar_fallback')?true:false));
15.             Config::save('concrete.user.gravatar.max_level', 
Loader::helper('security')->sanitizeString($this->post('gravatar_max_level')));
16.             Config::save('concrete.user.gravatar.image_set', 
Loader::helper('security')->sanitizeString($this->post('gravatar_image_set')));
17.             // $message = ($this->post('public_profiles')?t('Public 
profiles have been enabled'):t('Public profiles have been disabled.'));
18.             if($this->post('public_profiles')) {
19.                 
$this->redirect('/dashboard/system/registration/profiles/profiles_enabled');

User input passed through the "gravatar_max_level" e "gravatar_image_set" POST 
parameters is not
properly sanitized before being stored into a configuration setting (the 
"sanitizeString()" method
strips tags from the string but not double quotes). This can be exploited by an 
authenticated attacker
to permanently store arbitrary script code within the database, which might be 
executed by another
user while browsing to the "Public Profiles Settings" page.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "Public Profiles Settings" 
page.

4) The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/users/points/actions.php:

94.     public function save()
95.     {
96.         if($this->post('upaID') > 0) {
97.             $this->upa->load($this->post('upaID'));
98.             if (!$this->upa->hasCustomClass()) {
99.                 $this->upa->upaHandle = $this->post('upaHandle');
100.            }
101.            $this->upa->upaName = $this->post('upaName');
102.            $this->upa->upaDefaultPoints = $this->post('upaDefaultPoints');
103.            $this->upa->gBadgeID = $this->post('gBadgeID');
104.            if (!$this->upa->pkgID) {
105.                // i hate this activerecord crap
106.                $this->upa->pkgID = 0;
107.            }
108.            $this->upa->upaIsActive = 0;
109.            if ($this->post('upaIsActive')) {
110.                $this->upa->upaIsActive = 1;
111.            }
112.    
113.            $this->upa->save();
114.        } else {
115.            $upa = UserPointAction::add($this->post('upaHandle'), 
$this->post('upaName'), $this->post('upaDefaultPoints'), 
$this->post('gBadgeID'), $this->post('upaIsActive'));
116.        }

User input passed through the "upaHandle" and "upaName" POST parameters is not 
properly sanitized
before being stored. This can be exploited by an authenticated attacker to 
permanently store
arbitrary script code within the database, which might be executed by another 
user while browsing
to the "Community Points Actions" page.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "Community Points Actions" 
page.

5) The vulnerable code is located in /concrete/elements/files/add_to_sets.php:

110.    if ($_POST['fsNew']) {
111.        $type = ($_POST['fsNewShare'] == 1) ? FileSet::TYPE_PUBLIC : 
FileSet::TYPE_PRIVATE;
112.        $fs = FileSet::createAndGetSet($_POST['fsNewText'], $type);
113.        //print_r($fs);

User input passed through the "fsNewText" POST parameter is not properly 
sanitized before being stored.
This can be exploited by an authenticated attacker to permanently store 
arbitrary script code within the
database, which might be executed by another user while browsing to the "Add to 
New Set" panel.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "File Manager" page.

6) The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/extend/connect.php:

18.     public function connect_complete() {
19.         $tp = new TaskPermission();
20.         if ($tp->canInstallPackages()) {
21.             if (!$_POST['csToken']) {
22.                 $this->set('error', array(t('An unexpected error occurred 
when connecting your site to the marketplace.')));
23.             } else {
24.                 $config = \Core::make('config/database');
25.                 $config->save('concrete.marketplace.token', 
$_POST['csToken']);
26.                 $config->save('concrete.marketplace.url_token', 
$_POST['csURLToken']);

User input passed through the "csToken" and "csURLToken" POST parameters is not 
properly sanitized
before being stored into a configuration setting. This can be exploited by an 
authenticated attacker
to permanently store arbitrary script code within the database, which might be 
executed by another
user while browsing to the "Extend Concrete5" pages.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "Community Connect" page.

7) The vulnerable code is located in 
/concrete/controllers/single_page/dashboard/system/multilingual/translate_interface.php:

110.    public function save_translation()
111.    {
112.        $mtID = intval($this->post('mtID'));
113.        $translation = Translation::getByID($mtID);
114.        if (is_object($translation)) {
115.            $translation->updateTranslation($this->post('msgstr'));
116.        }

User input passed through the "msgstr" POST parameter is not properly sanitized 
before being stored.
This can be exploited by an authenticated attacker to permanently store 
arbitrary script code within the
database, which might be executed by another user while browsing to the 
"Translate Site Interface" page.

NOTE: the vulnerability can be exploited only by authenticated users, however 
an attacker
can leverage a CSRF vulnerability related to the "Translate Site Interface" 
page.


[-] Solution:

Update to a fixed version.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerabilities details sent through HackerOne
[02/10/2015] - CVE number requested
[28/12/2015] - Vendor said the vulnerabilities should be fixed in the upstream
[26/06/2016] - Vulnerabilities publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2016-09


[-] Other References:

https://hackerone.com/reports/59662

Reply via email to