About a month ago we performed a Secure Code Review of Concrete5 version 5.7.3.1, the latest stable release at that time, and discovered multiple security issues within it. In particular we found the following vulnerabilities:
- A Remote Code Execution
- Multiple Reflected Cross Site Scripting
- A SQL Injection
- ...others not fixed yet
These issues have been reported to the Concrete5 team through HackerOne, since they have a bug bounty program in place. Some of them were promptly fixed in the next releases of the software, while others still have to be solved.
This is the reason why this post will be in two parts: in this first part we are going to cover the issues already fixed and publicly disclosed on the HackerOne website, while the remainings will be illustrated in the second part.
Concrete5 CMS
The Issues
Sendmail Remote Code Execution Vulnerability
Official Advisory:
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-1
Risk: High
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-1
Risk: High
Cause: Lack of input validation
Impact: Arbitrary PHP Code Execution on the server
One of the most critical issues we discovered is a Remote Code Execution (RCE) vulnerability affecting Concrete5 websites which use sendmail as mail server. This vulnerability is due to an incorrect validation of an input parameter used to store a setting related to the sender's address of a registration notification email.
The attack can be carried out in two steps:
- The sender's email address setting is modified to alter the sendmail command line in order to add specific parameters which allow to log all the email traffic into an arbitrary file;
- The attacker will send a specially crafted request to register a new account and will put some malicious PHP code after its email address. This will be written into the log file chosen during the first step, so in case it's a .php file arbitrary PHP code execution may be achieved (using the same technique described here).
Even though the sender's address parameter can be modified by administrator users only, an attacker might be able to exploit the bug leveraging a Cross-Site Request Forgery (CSRF) vulnerability affecting the related setting feature.
A detailed description of the vulnerability and a sample attack workflow are described in the following PDF:
- Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[05/05/2015] - Vendor said a patch has been committed and will be available in the next version
[05/07/2015] - Version 5.7.4 released along with the patch for this vulnerability
[06/06/2015] - Vulnerability publicly disclosed on HackerOne
Multiple Reflected Cross Site Scripting Vulnerabilities
Official Advisory:https://www.mindedsecurity.com/index.php/research/advisories/msa110615-2
Risk: Medium
Cause: Lack of input validation
Impact: Unauthorized access to the victim's browser data
During our code review activity we found out that several input parameters are used to generate some HTML output without a proper encoding. This can be exploited to carry out Reflected Cross Site Scripting (XSS) attacks.
The following PDF describes the discovered XSS vulnerabilities and provides Proof of Concept (PoC) web pages for them:
- Disclosure Timeline:
[05/05/2015] - Vulnerabilities details sent through HackerOne
[05/05/2015] - Vendor said that 2 out of 6 reported vulnerabilities were already fixed in development
[05/07/2015] - Version 5.7.4 released along with patches for all the 6 vulnerabilities
[06/06/2015] - Vulnerabilities publicly disclosed on HackerOne
SQL Injection Vulnerability
Official Advisory:
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-3
Risk: Medium
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-3
Risk: Medium
Cause: Lack of input validation
Impact: Unauthorized access to the data stored into the database
Furthermore we found the presence of a SQL injection vulnerability, which is due to certain user input being used to construct a SQL query without a proper validation. This can be exploited to carry out SQL injection attacks leading to unauthorized access to the data stored into the database.
However, the vulnerability is not critical because it is mitigated by the fact that can be exploited only by authenticated users with privileges to edit page permissions.
The following PDF describes the detail of the vulnerability and how to exploit it:
- Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[05/08/2015] - Vendor said a patch has been committed and will be available in the next version
[05/12/2015] - Version 5.7.4.1 released along with the patch for this vulnerability
[06/11/2015] - Vulnerability publicly disclosed on HackerOne
Stay tuned for the second part!
No comments:
Post a Comment