Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0
Advisory ID: SROEADV-2015-02
Author: Steffen Rösemann
Affected Software: CMS Croogo v.2.20
Vendor URL: https://croogo.org
Vendor Status: solved
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager functionality in the administrative backend of CMS Croogo
v. 2.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

The filemanager of a common Croogo installation is located here:

http://
{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json

By appending arbitrary HTML- and/or JavaScriptcode to existing filenames,
it gets rendered in the generated webpage. It seems not to be working by
appending code to existing directory names.

Exploit-Example:

http://{TARGET}/admin/file_manager/file_manager/editfile?path=%2FApplications%2FXAMPP%2Fxamppfiles%2Fhtdocs%2Fcroogo-2.2.0%2Fpackage.json<script>alert("XSS
in filemanager functionality of CMS Croogo 2.2.0")</script><!--

=========
Solution:
=========

Update to Croogo v.2.2.1.


====================
Disclosure Timeline:
====================

03-Jan-2015 – found the vulnerability
03-Jan-2015 - informed the developers by opening an issue on Github (see
https://github.com/croogo/croogo/issues/599)
03-Jan-2015 – release date of this security advisory [without technical
details]
12-Jan-2015 - fix by vendor (v. 2.2.1)
12-Jan-2015 - release date of this security advisory
12-Jan-2015 - send to lists


========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://croogo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-02.html
[3] https://github.com/croogo/croogo/issues/599
[4]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-02.html