what you don't know can hurt you

CMSimple 4.6.2 Cross Site Scripting

CMSimple 4.6.2 Cross Site Scripting
Posted May 31, 2016
Authored by Manuel Garcia Cardenas

CMSimple versions 4.6.2 and below suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | e93f6e0a70519ec45c3974333b210d29

CMSimple 4.6.2 Cross Site Scripting

Change Mirror Download
=============================================
MGC ALERT 2016-004
- Original release date: May 28, 2016
- Last revised: June 1, 2016
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Reflected XSS in CMSimple <= v4.6.2

II. BACKGROUND
-------------------------
CMSimple is a php based Content Managemant System (CMS) , which requires no
database. All data are stored in a simple file system.

III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in Admin Panel of CMSimple,
that allows the execution of arbitrary HTML/script code to be executed in
the context of the victim user's browser.

The code injection is done through the parameter "subdir" in the page
"userfiles".

IV. PROOF OF CONCEPT
-------------------------
Malicious Request:
/cmsimple/?userfiles&subdir=userfiles/<XSS injection>

Example:
/cmsimple/?userfiles&subdir=userfiles/<script>alert(1)</script>

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
CMSimple <= v4.6.2

VII. SOLUTION
-------------------------
Update to version 4.6.3

VIII. REFERENCES
-------------------------
http://www.cmsimple.org/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
May 28, 2016 1: Initial release
June 1, 2016 2: Last revision

XI. DISCLOSURE TIMELINE
-------------------------
May 28, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
May 28, 2016 2: Send to vendor
May 30, 2016 3: New version that includes patched code
http://cmsimple.org/downloadcounter/dlcount/count.php?id=31
June 1, 2016 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close