Hi , today concrete
Concrete is a famous Content management system.
For more
www.concrete5.org
So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).
http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive
oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug
Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.
Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.
So this is for today.
#independent Pakistani Security Researcher
Concrete is a famous Content management system.
For more
www.concrete5.org
So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).
http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive
oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug
Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.
Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.
So this is for today.
#independent Pakistani Security Researcher
3 comments:
Admin always have the privileges to write javascript code into their post in the every content management system.
Well you describe it.
London Escorts
This is very interesting, the way you describe it. Polish girls
Post a Comment