Concrete CMS is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. Concrete5 allows users to edit images through an embedded editor on the page. As of 2021, there are over 62,000 live websites that use Concrete CMS under the hood. During a recent pentest, our team found a very interesting vulnerability. Discovery of the vulnerability was relatively simple (a race condition), however creating a POC was quite challenging, hence the reason for this post. You will need a low privileged user to exploit this vulnerability and gain RCE in Concrete CMS.
Tag: insecure-randomness
Independently secure, together not so much – a story of 2 WP plugins
Recently we had to do a security assessment on a WordPress website. Obviously when dealing with a WordPress installation the best option is to always target the plugins. We’ve quickly enumerated the plugins using WPScan and then we recreated this setup in our local environment for easier testing & debugging. We found 2 interesting plugins which support file uploads and that is always interesting functionality to abuse, so we will study them one by one.
