# Exploit Title: CiviCRM 3.1 < Beta 5 Multiple XSS Vulnerabilities
# Date: Dec 10 2009
# Author: h00die (mcyr2@csc.com) & Ch3nz (vpierorazio@csc.com)
# Software Link: http://sourceforge.net/projects/civicrm/files/civicrm-latest/3.1.beta1/civicrm-3.1.beta1-standalone.tar.gz/download
# Version: 3.1 Beta 1
# Tested on: BT4 pre-final
# Greetz to muts and loganWHD
# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily
#Timeline
#Discovery Date: Dec 9 2009
#Vendor Notification: Dec 31 2009
#Vendor Patch: Jan 13, 2010. Update to Beta 5 with fixes, also patch for Beta 4 released.
#Public Disclosure: Jan 13, 2010
#Background: Separated XSS Injection
#########################################################
CiviCRM uses a fairly complex filtering system to try to prevent attacks, yet still have the highest level of flexibility.
One of those filters prevents from being in the same input box.
In several cases it is possible to use multiple input boxes that get displayed later either together or close enough that it is
possible to inject the 1st half of the code in the first box with a trailing comment, then inject the end comment and end script
in the second box. We call this Separated XSS Injection. For instance, you have input box 1, and input box 2. It is not possible
to get by the IDS in the software by injecting into either of those boxes. When the content is later
displayed it is displayed in a table consisting of: Input box 1, ID# (auto generated), Input box 2. By injecting into input box 2 the content in the table then becomes:
. This script is now executable even though it was split and injected
into different areas.
#########################################################
#Vulnerable injection points
#########################################################
1. Tags
1a. HTML injection in both the Name and Description fields.
1b. Separated XSS Injection using the Name and Description input boxes. When the data is displayed, there is an ID field between
the two items, so in order to inject data but still have it look correctly try this:
Name: Tag| 1 | Description |
Keep in mind Name has ~64 char limit, Description is a 255 character limit
2. Groups
2a. HTML injection in both the Name and Description fields.
2b. Separated XSS Injection using the Name and Description input boxes. When the data is displayed, there is an ID field between
the two items, so in order to inject data but still have it look correctly try this:
Name: Group1 | Description |
Keep in mind Name has ~64 char limit.
***Also, since this data gets displayed in the Recent Items column on the left, it will break the interface. It also breaks
the Settings page for the group, so this data can not be altered once input w/o editing the DB by hand***
3. Contributions
3a. Source Notes, and Transaction ID are HTML injectable
3b. Separated XSS Injection using the Honoree First Name and Last Name input boxes. When the data is displayed, there are no fields between
the two items, so this is a safer injection point, but the xss does not display unless the user views the individual contribution.
Safe Injection Data:
First Name: Matt Smith
This attack also creates the Honoree as a person element in the system, so attacks are further reaching
3c. The Honoree First/Last Name fields have a length bug. When inserting a user to the system there is a 64 character limit on First/Last
Names. When inserting an honoree's First/Last name, there is no control on that. The data is then inserted into the Database as is,
and when the data is displayed, it is SHOWN at 64 characters even though all the characters are actually valid. What does this mean?
Lets look back at 3b, we can now do the following
First Name: 1234567890123456789012345678901234567890123456789012345678901234 LastName
Now when we view the contact's Details (for 1234...), and try to Edit the data the
Keep in mind each address field has a ~96 char limit.
#########################################################