Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
Title: Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
Advisory ID: ZSL-2014-5201
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 12.10.2014
PHP/5.5.6
MySQL 5.6.14
[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.
[2] http://osvdb.org/show/osvdb/113109
[3] http://osvdb.org/show/osvdb/113110
[4] http://osvdb.org/show/osvdb/113111
[5] http://osvdb.org/show/osvdb/113113
[6] http://www.exploit-db.com/exploits/34959/
[7] http://packetstormsecurity.com/files/128639
[8] http://cxsecurity.com/issue/WLB-2014100076
[9] http://www.securityfocus.com/bid/70413
[10] http://xforce.iss.net/xforce/xfdb/96991
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8577
[12] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8577
[14.10.2014] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[20.10.2014] - Added reference [10]
[03.11.2014] - Added reference [11] and [12]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5201
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 12.10.2014
Summary
Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.Description
Croogo version 2.0.0 suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Fahad Ibnay Heylaal - http://www.croogo.orgAffected Version
2.0.0Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[26.07.2014] Vulnerabilities discovered.[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.
PoC
croogo_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://blog.croogo.org/blog/croogo-210-released[2] http://osvdb.org/show/osvdb/113109
[3] http://osvdb.org/show/osvdb/113110
[4] http://osvdb.org/show/osvdb/113111
[5] http://osvdb.org/show/osvdb/113113
[6] http://www.exploit-db.com/exploits/34959/
[7] http://packetstormsecurity.com/files/128639
[8] http://cxsecurity.com/issue/WLB-2014100076
[9] http://www.securityfocus.com/bid/70413
[10] http://xforce.iss.net/xforce/xfdb/96991
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8577
[12] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8577
Changelog
[12.10.2014] - Initial release[14.10.2014] - Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
[20.10.2014] - Added reference [10]
[03.11.2014] - Added reference [11] and [12]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk