Concrete5 Reflected XSS Vulnerability via HTTP Header Host Parameter

Hello

This vulnerability doesn’t lead to any attack vectors -for now-. But I want to share my analysis.

If you will concrete5 with install default configuration, you probably select greek_yogurt as a default theme. Following codes belongs to default.php of that theme.

Lets see codes of header.php which included second line.

Now it’s time to find header_required.php too. Following codes grabbed from header_required.php lines 79 – 82.

Let’s focus on CCM_BASE_URL. Because BASE_URL names looks like Host parameter of HTTP Request and we know it’s can control by hackers.

In order to understand defination ob BASE_URL. We need to understand following codes. These codes grabbed from config/base.php files lines 20-26.

As you can see, It’s getting Host parameter via $_SERVER and defines it as BASE_URL variables. It seems there should be Reflected XSS.

Following codes grabbed from Firefox, you can see javascript variables in there and one of them seems like our variable that we analysed before.

In Order to exploit that vulnerability, you should write in-line javascript payload into the Host parameter of HTTP Request.

And there is our Reflected XSS! Following codes belongs to result of HTTP request.

This is Reflected XSS but it’s not useful as an attack vector. You can not change user’s Host parameter. Concrete5 developers should fix that issue anyway.

Fix can be found here: https://github.com/mmetince/concrete5/commit/e9fbce9ae0dcfbe79d95328ee5d1dbb36b03ac4f

 

 

  • Thanks for sharing.

    You might want to goto this site in the future for these types of things:
    http://hackerone.com/concrete5

    Or submit it directly to us here:
    http://www.concrete5.org/developers/security/

    • mehmet ince

      Actually, I shared 1 critical vulnerability via hackerone-and I’m still keeping it private until you guys fixed it- and developers are tring to fix it right now. I usually prefer share information when it’s critical one. But this one is really low level vulnerability and there is no way to use it as an attack vector. That was my reason why I make it public via blog post. Also I fixed all of these vulnerability and sended pull request on github. You can simply merge it.