Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Posted on May 10 2010   |  Plain text version


Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.


Vulnerable Software: 1.3
Release Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
Session hijack
Denial of service
Code execution

Solution Status: Websec has informed and submitted a patch to the vendor Croogo 1.3.1 has been released

Websec Advisory: ws10-08


Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.


Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


Attackers can exploit this issue with a web browser sending malicious code through the field 'name' located in the user registration form (http://site/users/add) or the field 'data[Comment][body]' in the "add a comment" form to comment on a post (http://site/comments/add/).

This time the field 'data[Comment][body]' gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.


Upgrade to Croogo 1.3.1 or apply patch Croogo's public repository


2010/05/08 - Vulnerability discovered
2010/05/08 - Vendor contacted
2010/05/12 - Patch submitted to Croogo's public source code repositories
2010/06/14 - Full disclosure


Croogo CMS - Croogo CMS Official website
Croogo on GitHub - Croogo GitHub
Websec - Websec Canada
Websec - Websec Mexico


Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.