Date: 4 Jan 2007 21:59:32 -0000
From: nanoymaster@...il.com
To: bugtraq@...urityfocus.com
Subject: CMS Made Simple non-permanent XSS

########################
# /||` \ | || \` / ||\ # 
#/ || |\\| ||` \/` || \#  
#\ || | \` || |\/| || /# 
# \||_|` \_||_|` |_||/ #
# http://www.nanoy.org #
########################

Hacker.: NanoyMaster
CMS....: CMS Made Simple
Version: 1.0.2

[--------exploits----------]
1) Search XSS (non-permanent)
2) preview XSS (non-permanent)
3) Admin login XSS (non-permanent)
4) Outro

[--------------------[NM]--]
[-------1.Search XSS-------]
XSS in search eg:
http://<site>/<path>/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=<XSS>&cntnt01submit=Submit

Patch: modules\Search\action.dosearch.php
Add the following to line 3:
$params['searchinput'] = htmlentities($params['searchinput']);

[--------------------[NM]--]
[------2.Preview XSS-------]
XSS in Preview eg:
http://<site>/<path>/preview.php?tmpfile=<xss>

Patch: preview.php
add the following to line 38:
$page = htmlentities($page);

[--------------------[NM]--]
[----3.Admin Login XSS-----]
Type in username:
"><xss>
then submit
(make your own post form for more than 15 chars)

Patch: http://<site>/<path>/admin/themes/<theme>/login.php
Add the following near the top:
<?php if(isset($_POST['username'])){$_POST['username'] = htmlentities($_POST['username']);} ?>

[--------------------[NM]--]
[----------0.Outro---------]
Well I hope you liked this whitepaper
Have fun screwing with sites that use this package
(Or patching your sites!)
Sorry only 2 holes were added, I'll try harder next time ;)
Check out my site: http://www.nanoy.org
theres a few challs etc.

peace (^_^)___\/m
[--------------------[NM]--]

Powered by blists - more mailing lists