Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection
Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Vulnerable Software: 1.3
Release Date: 2010-06-14
Last Update: 2010-05-10
Impact: HTML injection
Denial of service
Solution Status: Websec has informed and submitted a patch to the vendor Croogo 1.3.1 has been released
Websec Advisory: ws10-08
Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.
Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
EXPLOIT / POC
Attackers can exploit this issue with a web browser sending malicious code through the field 'name' located in the user registration form
(http://site/users/add) or the field 'data[Comment][body]' in the "add a comment" form to comment on a post (http://site/comments/add/
Upgrade to Croogo 1.3.1 or apply patch Croogo's public repository
2010/05/08 - Vulnerability discovered
2010/05/08 - Vendor contacted
2010/05/12 - Patch submitted to Croogo's public source code repositories
2010/06/14 - Full disclosure