############################################## CMSimple 'search' variable XSS Vendor urL:http://www.cmsimple.dk/ Advisory:http://lostmon.blogspot.com/2005/07/ cmsimple-search-variable-xss.html vendor Url fix:http://www.cmsimple.dk/forum/viewtopic.php?t=2470 Vendor confirmed:YES exploit available:yes ############################################## CMSimple is a simple content management system; for the smart maintenance of small commercial or private sites. It is simple - small - smart! CMSimple contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'search' variable upon submission to 'index.php' script.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Index.php file contains only a include to cmsimple/cms.php file. ############# VERSIONS ############# CMSimple 2.4 and earlier versions ############# Solution ############# vendor fix: http://www.cmsimple.dk/forum/viewtopic.php?t=2470 Fix: function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search; should be replaced with: function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search)); Will be fixed in next beta. ############# Timeline ############# discovered: 13-07-2005 vendor notify:20-07-2005 vendor response:21-07-2005 vendor fix:21-07-2005 disclosure:21-07-2005 ################ Proof of concept ################ http://[victim]/index.php?&print&function=search&search= "> http://[victim]/?function=search&search=[XSS-CODE] http://[victim]/?&print&function=search&search=[XSS-CODE] http://[victim]/?License&function=search&search=[XSS-CODE] http://[victim]/?Resellers&function=search&search=[XSS-CODE] http://[victim]/?&guestbook&function=search&search=[XSS-CODE] ###################### €nd ######################### Thnx to estrella to be my ligth thnx to http://www.drorshalev.com/ for hosting 'js.js' script atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....