Hi,

CMS made simple has several security problems - XSS in admin console, weak
CSRF protection and a possible PHP object insertion via unserialize.

These vulnerabilities were considered unimportant by the CMS Made Simple
developers. Their reasoning was that they had to be exploited by a logged
in administrator user who is a trusted user anyway. When I explained to
them that with XSS all you need to do is send a malicious link to the
administrator, they responded back saying that they are confident in their
CSRF protection. I then sent them an analysis of their CSRF protection (see
the full advisory below), which I found to be quite weak. Finally they
commited to implement a half-assed mitigation for the CSRF token weakness
but said they will not fix the other issues.

Timeline:

- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com.
No reply.

- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum
asking to contact me back. A few hours later I was contacted by calguy and
sent him a more complete version of this advisory with recommendations.

- 09.12.2013: calguy responds saying these will not be fixed as you have to
be an admin user anyway to exploit them.

- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS
Made Simple project manager, responds with an official note saying they
will double the CSRF token length in a future release but will not fix the
rest of the issues.

- 14.12.2013: Handed over to CERT asking for help to try to reason with the
CMS Made Simple developers.

- 28.02.2014: Public disclosure by CERT

You can see the full report in my repo at
https://github.com/pedrib/PoC/blob/master/cmsmadesimple-1.11.9.txt

And the CERT report at http://www.kb.cert.org/vuls/id/526062

There are plenty of CMS out there that have a decent attitude towards
security. Steer well clear of this one.

Regards
Pedro Ribeiro
Agile Information Security