Concrete5 CMS has RCE, XSS and SQLi flaws

A researcher at Minded Security has discovered several unfixed vulnerabilities in Concrete 5, one of the world's most popular content management systems (CMS).

“About a month ago we performed a Secure Code Review of Concrete5 version 5.7.3.1, the latest stable release at that time, and discovered multiple security issues within it,” said Egidio Romano, writing in a blog post that was published last Friday.

These vulnerabilities included remote code execution (RCE), multiple reflected cross-site scripting (XSS), SQL Injection and various other bugs not yet fixed.

“These issues have been reported to the Concrete5 team through HackerOne, since they have a bug bounty programme in place. Some of them were promptly fixed in the next releases of the software, while others still have to be solved.”

Concrete5, a CMS written in PHP, was launched in 2003 as Concrete CMS and is believed to account for around three percent of CMS use worldwide. It was more recently rebranded as Concrete5 and launched fully open source under the MIT licence in 2008. According to its own website, Concrete5 powers more than 580,000 sites and has a community with over 230,000 members. 

The most severe bug, according to Minded Security, is a high-risk remote code execution vulnerability in Sendmail, which could allow a would-be hacker to send arbitrary PHP code on the server. Romano adds on his own blog that the flaw may be present in earlier releases of the software too.

“One of the most critical issues we discovered is a Remote Code Execution (RCE) vulnerability affecting Concrete5 websites which use Sendmail as mail server. This vulnerability is due to an incorrect validation of an input parameter used to store a setting related to the sender's address of a registration notification email.”

“The attack can be carried out in two steps:

1) the sender's email address setting is modified to alter the sendmail command line to add specific parameters which allow logging all the email traffic into an arbitrary file;

2) the attacker will send a specially crafted request to register a new account and will put some malicious PHP code after its email address. This will be written into the log file chosen during the first step, so in case it's a .php file arbitrary PHP code execution may be achieved (using the same technique described here).

The upsides are that the sender's email address parameter can only be modified by an authenticated administrator – although could be exploited by CXSS, and only if email sent with Sendmail.

Web administrators are advised to patch to the most recent version of Concrete5, which is now at build 5.7.4.2.