← Advisories

Croogo 2.0.0 Multiple Stored XSS Vulnerabilities

Medium
Advisory ID
ZSL-2014-5201
Release Date
12 October 2014
Vendor
Fahad Ibnay Heylaal - http://www.croogo.org
Affected Version
2.0.0
CVE
CVE-2014-8577
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.

Description

Croogo version 2.0.0 suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
croogo_xss.txtTXT
Disclosure Timeline
26.07.2014Vulnerabilities discovered.
27.07.2014Vendor contacted.
27.07.2014Vendor responds asking more details.
27.07.2014Sent details to the vendor.
28.07.2014Vendor confirms the issues promising patch.
04.08.2014Working with the vendor.
07.08.2014Fix developed.
02.09.2014Vendor releases version 2.1.0 to address these issues.
12.10.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://blog.croogo.org/blog/croogo-210-released
[2]http://osvdb.org/show/osvdb/113109
[3]http://osvdb.org/show/osvdb/113110
[4]http://osvdb.org/show/osvdb/113111
[5]http://osvdb.org/show/osvdb/113113
[6]http://www.exploit-db.com/exploits/34959/
[7]http://packetstormsecurity.com/files/128639
[8]http://cxsecurity.com/issue/WLB-2014100076
[9]http://www.securityfocus.com/bid/70413
[10]http://xforce.iss.net/xforce/xfdb/96991
[11]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8577
[12]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8577
Changelog
12.10.2014Initial release
14.10.2014Added reference [2], [3], [4], [5], [6], [7], [8] and [9]
20.10.2014Added reference [10]
03.11.2014Added reference [11] and [12]