Occasionally in my life I've helped out with various friends sites, and
one of these was for a long time built upon a CMS called
concrete5. To me, conrete5 is a fairly
different CMS from various other offerings such as Drupal and Wordpress,
with more of a drag 'n drop interface. The website boasts ease of use -
"Easy to Use", "Easy to Theme", "Easy to Extend", and the user interface
is fairly well put together.
Of course, it's a CMS, and it's PHP, so there's bound to be some vulns
in there over time. After a couple of experiences with upgrading after
vulnerability disclosures, and inspired by
wpscan, I thought it'd be useful
to start scripting up a checker
The result of which is c5scan, and you can view or get c5scan on
Github.
As an example of usage I thought I'd try the scanner against a few sites
listed on the concrete5
showcase
$ ./c5scan.py -u http://www.cambridge.org/
**********************************************************
* ~ C5scan ~ *
* A vulnerability and information gatherer for concrete5 *
* auraltension@riseup.net *
**********************************************************
URL: http://www.cambridge.org/
[+] Interesting header: server: PWS/8.1.20.9
[+] robots.txt found at http://www.cambridge.org/robots.txt
Enumerating updates in /updates/
Looking for Readme files
[+] Found a readme at: http://www.cambridge.org/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at: http://www.cambridge.org/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at: http://www.cambridge.org/concrete/blocks/video/README
[+] Found a readme at: http://www.cambridge.org/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at: http://www.cambridge.org/concrete/libraries/3rdparty/securimage/README.txt
Checking for known vulnerabilities in updates
$ ./c5scan.py -u http://www.mini.co.uk
**********************************************************
* ~ C5scan ~ *
* A vulnerability and information gatherer for concrete5 *
* auraltension@riseup.net *
**********************************************************
URL: http://www.mini.co.uk/
[+] Interesting header: server: Apache
[+] Interesting header: x-powered-by: PHP/5.1.6
[+] robots.txt found at http://www.mini.co.uk/robots.txt
Enumerating updates in /updates/
Looking for Readme files
[+] Found a readme at: http://www.mini.co.uk/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at: http://www.mini.co.uk/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at: http://www.mini.co.uk/concrete/blocks/video/README
[+] Found a readme at: http://www.mini.co.uk/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at: http://www.mini.co.uk/concrete/libraries/3rdparty/securimage/README.txt
Checking for known vulnerabilities in updates
$ ./c5scan.py -u www.serena.com
**********************************************************
* ~ C5scan ~ *
* A vulnerability and information gatherer for concrete5 *
* auraltension@riseup.net *
**********************************************************
No http:// or https:// provided. Trying http://
URL: http://www.serena.com/
[+] Discovered version 5.6.1.2 from meta 'generator' tag
[+] Interesting header: server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4
[+] robots.txt found at http://www.serena.com/robots.txt
Enumerating updates in /updates/
[+] Update version 5.6.1 exists
[+] Update version 5.6.1.2 exists
[+] Update version 5.6.1.2 exists
Looking for Readme files
[+] Found a readme at: http://www.serena.com/concrete/libraries/3rdparty/adodb/readme.txt
[+] Found a readme at: http://www.serena.com/concrete/libraries/3rdparty/adodb/docs/docs-adodb.htm
[+] Found a readme at: http://www.serena.com/concrete/blocks/video/README
[+] Found a readme at: http://www.serena.com/concrete/libraries/3rdparty/StandardAnalyzer/Readme.txt
[+] Found a readme at: http://www.serena.com/concrete/libraries/3rdparty/securimage/README.txt
Checking for known vulnerabilities in updates
[+] A known vulnerability exists for 5.6.1.2:
Multiple CSRF and Stored XSS Vulnerabilities
http://www.exploit-db.com/exploits/26077/
Checking for known vulnerabilities in current version
[+] A known vulnerability exists for 5.6.1.2:
Multiple CSRF and Stored XSS Vulnerabilities
http://www.exploit-db.com/exploits/26077/
I've got a bunch of work to do over time, such as adding threading,
ideas of additional checks, output formats, improving functionality in
the checking of vulns, input lists/files, and various ways to make the
checks more useful to the user. But that's much of the fun of a random
opensource project ;)
I'm also wanting to set aside some time to poke more into the concrete5
code itself to look for some bugs,
understand it's structure and poke at it a bit, which I'm sure will
result in more improvements. You'll note in one of the examples above
that there is a check for known vulnerabilities in any of the installed
updates, as concrete5 leaves prior code in the /updates directory,,
however I am yet to confirm whether any of the update code may even
provide an attack vector.
I hope that somebody else can find this useful, andissue
submissions are highly
valued.
*serena.com had been advised of the
positive finding on their site prior to the publishing of this
post