# Exploit Title: Concrete5 5.5.2.1 Multiple Authenticated Cross-Site Scripting (XSS)
# Date: 2012-08-25
# Author: Ryan ‘ethicalhack3r’ Dewhurst (www.ethicalhack3r.co.uk)
# Software Link: http://sourceforge.net/projects/concretecms/files/concrete5/5.5.2.1/
# Version: 5.5.2.1
1.Vulnerability Description
Multiple authenticated Cross-Site Scripting (XSS) vulnerabilities were identified within Concrete5 version 5.5.2.1. Also reported were some cookie security improvements. The first Concrete5 advisory can be found here [1].
2.Software Description
CMS made for Marketing but built for Geeks, concrete5 [0] is a content management system that is free and open source.
3. Vulnerability Information
3.1 Cross-Site Scripting (XSS)
Page: index.php/tools/required/files/customize_search_columns
Parameters: searchInstance
Method: GET
Page: index.php/tools/required/files/save_search
Parameters: ccm-submit-button, searchInstance
Method: POST
Page: index.php/tools/required/files/search_results
Parameters: numResults, searchInstance & searchType
Method: GET
Page: index.php/tools/required/sitemap_search_selector.php
Parameters: cID, sitemap_select_mode
Method: GET
Page: index.php/tools/required/users/search_dialog
Parameters: mode
Method: GET
Page: index.php/tools/required/users/search_results
Parameters: mode, numResults & searchType
Method: GET
3.2 Cookie Security
Current cookie name/value: CONCRETE5=6amek9tk8549gisbhsqcpi0ku6;
path=/concrete5.5.2.1/
The ‘httpOnly’ and ‘secure’ flags should be set as well as an expiry time/date.
4.Vulnerability Timeline
2012-07-24 – Reported to vendor
2012-07-24 – Vendor acknowledged
2012-08-25 – Vulnerability Disclosed
5.References
[0] http://www.concrete5.org/
[1] http://www.ethicalhack3r.co.uk/security/concrete5/