Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Posted on May 10 2010   |  Plain text version

Summary

Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Description

Vulnerable Software: 1.3
Release Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
Session hijack
Denial of service
Code execution

Solution Status: Websec has informed and submitted a patch to the vendor Croogo 1.3.1 has been released

Websec Advisory: ws10-08

BACKGROUND
=======================

Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.

DESCRIPTION
=======================

Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

EXPLOIT / POC
=======================

Attackers can exploit this issue with a web browser sending malicious code through the field 'name' located in the user registration form (http://site/users/add) or the field 'data[Comment][body]' in the "add a comment" form to comment on a post (http://site/comments/add/).

This time the field 'data[Comment][body]' gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.

WORKAROUND
=======================

Upgrade to Croogo 1.3.1 or apply patch Croogo's public repository

DISCLOSURE TIMELINE
=======================

2010/05/08 - Vulnerability discovered
2010/05/08 - Vendor contacted
2010/05/12 - Patch submitted to Croogo's public source code repositories
2010/06/14 - Full disclosure

REFERENCES
=======================

Croogo CMS - Croogo CMS Official website
Croogo on GitHub - Croogo GitHub
Websec - Websec Canada
Websec - Websec Mexico

POC


Latest Blog Entries

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.