Login

htbridge · 2013-02-12, 01:15:20

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in GetSimple CMS 3.1.2

Preview available here: https://www.htbridge.com/advisory/HTB23141

Developers can contact us by email for details: advisory (at) htbridge.com

For any questions related to this notification message - please visit our General Information & Disclosure Policy page: https://www.htbridge.com/advisory/disclo...olicy.html

Best regards,

High-Tech Bridge Security Research Lab

Connie · 2013-02-13, 17:31:57

to be fair, you should have added the info here, that the risk-level is low ;=)

***shawn_a*** · 2013-02-14, 00:27:38

I have already taken care of this, most of these are reflected xss that have already been disclosed by another firm.

Connie · 2013-02-14, 01:37:42

shawn, that is good to hear, thanks!

htbridge · 2013-02-14, 07:22:05

Could you please provide us with information about these vulnerabilities discovered by "another firm"? A link to security patch would also be highly appreciated.

***shawn_a*** · 2013-02-14, 07:59:07

oh, I guess its the same ones, it was just posted internally a while back, got confused there for a moment.

No patch yet.

htbridge · 2013-02-14, 08:35:48

Could you please let us know when security patch will be available? We don't want to disclose anything before it in order to protect the end-users.

Thanks.

***shawn_a*** · 2013-02-14, 08:46:25

About half of have been fixed by 3.2, which was just released.
The rest will be fixed in 3.2.1

Carlos · 2013-02-14, 08:53:05

@htbridge

Just a question: is there any vulnerability that can be exploited by non-authenticated users?

htbridge · (This post was last modified: 2013-02-14, 09:13:25 by htbridge.)

(2013-02-14, 08:46:25)shawn_a Wrote: About half of have been fixed by 3.2, which was just released.
The rest will be fixed in 3.2.1

We will appreciate if you can notify us about 3.2.1 release, so we can update the Solution field and change advisory status to "Fixed by Vendor". Thank you.

(2013-02-14, 08:53:05)Carlos Wrote: @htbridge

Just a question: is there any vulnerability that can be exploited by non-authenticated users?

Yes, all of them. However, they can be used only against the administrator.

***shawn_a*** · 2013-02-14, 09:33:49

No they are all privileged and low vector

Carlos · 2013-02-14, 17:30:31

(2013-02-14, 09:11:55)htbridge Wrote:
(2013-02-14, 08:53:05)Carlos Wrote: Just a question: is there any vulnerability that can be exploited by non-authenticated users?

Yes, all of them. However, they can be used only against the administrator.

Sorry I didn't express myself well.

So I understand that those vulnerabilities can only be exploited with the intervention of a logged-in administrator.
Nice to know.

WebDevandPhoto · 2013-02-14, 21:50:49

So then does that mean all changes should be done locally and then uploaded to the live site? As so an actual login never takes place? Kinda defeats the point of a admin cp if that's the case. Yea nay?

mvlcek · 2013-02-14, 22:12:24

(2013-02-14, 21:50:49)WebDevandPhoto Wrote: So then does that mean all changes should be done locally and then uploaded to the live site? As so an actual login never takes place? Kinda defeats the point of a admin cp if that's the case. Yea nay?

It rather means: If your computer is not compromised and you do not click on dubious links while being logged into the GetSimple administration, there should be no problems.

***shawn_a*** · 2013-02-15, 00:10:45

It means do not be an idiot.
Just like when your using your bank site or any other site.

Do not click links blindly, do not click links to your own CMS admin pages.

These would be targeted attacks not drive bys.

The reason these are low, is because you have to be logged in, and we do not have persistant sessions, and we do not have multi users logged in typically, there is 1 admin user, and you only need to log in when you are editing the cms, not always.

There are things we can do to protect against these, and if i had more time or more devs it would be done.
You can see all the serious threats i fixed in 3.2 doign my own security audits, but we are still limited on resources and inheriting this codebase from chris and playing catch up for the most part.

3.2 fixes some of these due to the traversal fixes i already implemented.

We can add output filtering for all user input. Which should have been done anyway to begin with.
We can add refferer checking to all input, I think its restricted to editing pages.
We can add csrf checks to more operations
We can add a better antixss filter, martin wrote ours a very long time ago, and xss evolves alot.

WebDevandPhoto · 2013-02-15, 20:26:10

Interesting, so these security risk are more or less developed around the concept of behavioral engineering. In that people do unintelligent things quite often. I'm not a security expert, but would applying a deny all allow from IP (an admin whitelist) in .htaccess for the admin files fix most of these type of exploits?

***shawn_a*** · 2013-02-15, 23:30:52

Of your host is worth it's salt then you have mod sec enabled and it will stopper of these.

Bit if I want to hack you and I post a link in this forum to your gs site with a crafted URL I can inject JavaScript in your browser and steal
Your cookies or other bad things.

WebDevandPhoto · 2013-02-16, 12:57:51

Amazing! yea I have mod sec enabled and would never click a link that has a huge URL like that.
thank you for explaining how the security risk works. Smile

***shawn_a*** · 2013-02-28, 04:21:19

Some of these were fixed already in 3.2, the rest should be taken care of in 3.2.1.
See beta thread.

Login
Username:
Password:	Lost Password?
	Remember me