Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection

Posted on May 10 2010   |  Plain text version

Summary

Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Description

Vulnerable Software: 1.3
Release Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
Session hijack
Denial of service
Code execution

Solution Status: Websec has informed and submitted a patch to the vendor Croogo 1.3.1 has been released

Websec Advisory: ws10-08

BACKGROUND
=======================

Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.

DESCRIPTION
=======================

Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

EXPLOIT / POC
=======================

Attackers can exploit this issue with a web browser sending malicious code through the field 'name' located in the user registration form (http://site/users/add) or the field 'data[Comment][body]' in the "add a comment" form to comment on a post (http://site/comments/add/).

This time the field 'data[Comment][body]' gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.

WORKAROUND
=======================

Upgrade to Croogo 1.3.1 or apply patch Croogo's public repository

DISCLOSURE TIMELINE
=======================

2010/05/08 - Vulnerability discovered
2010/05/08 - Vendor contacted
2010/05/12 - Patch submitted to Croogo's public source code repositories
2010/06/14 - Full disclosure

REFERENCES
=======================

Croogo CMS - Croogo CMS Official website
Croogo on GitHub - Croogo GitHub
Websec - Websec Canada
Websec - Websec Mexico

POC


Recent From Blog

Bypassing Web Application Firewalls with SQLMap Tamper Scripts
An introduction to SQLMap's new tamper scripts and how the can be used to bypass Web Application Firewalls and Intrusion Detection Systems.
Posted in SQL Injection WAF SQLMap Tamper Scripts Firewall

Optimized Blind MySQL Injection Data Retrieval
Demonstrates a method to extract data from a MySQL database using blind injection in fewer requests than currently known techniques such as the Bisection and Bit Shift method.
Posted in Blind Injection MySQL SQL Injection Database

mac2wepkey - Huawei default WEP generator
Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key. The purpose of this post is to explain the process of developing a key generator for these devices.
Posted in mac2wepkey home gateway wep generator echolife hg530 huawei hg520

Last News

Jan 31, 2012
Websec at Shmoocon 2012 Firetalks
Shmoocon is one of the best computer security conferences in the United States. Websec had the pleasure of being present in 2012 Shmoocon in January.

Dec 01, 2011
Discover Tectoria 2011
We are proud to announce that Websec will be participating at the Discover Tectoria 2011 tradeshow.

Last advisories