[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070104215932.26634.qmail@securityfocus.com>
Date: 4 Jan 2007 21:59:32 -0000
From: nanoymaster@...il.com
To: bugtraq@...urityfocus.com
Subject: CMS Made Simple non-permanent XSS
########################
# /||` \ | || \` / ||\ #
#/ || |\\| ||` \/` || \#
#\ || | \` || |\/| || /#
# \||_|` \_||_|` |_||/ #
# http://www.nanoy.org #
########################
Hacker.: NanoyMaster
CMS....: CMS Made Simple
Version: 1.0.2
[--------exploits----------]
1) Search XSS (non-permanent)
2) preview XSS (non-permanent)
3) Admin login XSS (non-permanent)
4) Outro
[--------------------[NM]--]
[-------1.Search XSS-------]
XSS in search eg:
http://<site>/<path>/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=<XSS>&cntnt01submit=Submit
Patch: modules\Search\action.dosearch.php
Add the following to line 3:
$params['searchinput'] = htmlentities($params['searchinput']);
[--------------------[NM]--]
[------2.Preview XSS-------]
XSS in Preview eg:
http://<site>/<path>/preview.php?tmpfile=<xss>
Patch: preview.php
add the following to line 38:
$page = htmlentities($page);
[--------------------[NM]--]
[----3.Admin Login XSS-----]
Type in username:
"><xss>
then submit
(make your own post form for more than 15 chars)
Patch: http://<site>/<path>/admin/themes/<theme>/login.php
Add the following near the top:
<?php if(isset($_POST['username'])){$_POST['username'] = htmlentities($_POST['username']);} ?>
[--------------------[NM]--]
[----------0.Outro---------]
Well I hope you liked this whitepaper
Have fun screwing with sites that use this package
(Or patching your sites!)
Sorry only 2 holes were added, I'll try harder next time ;)
Check out my site: http://www.nanoy.org
theres a few challs etc.
peace (^_^)___\/m
[--------------------[NM]--]
Powered by blists - more mailing lists