lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEDdjHcyJpQURZFdWTk3Gs=nQnSL=mehtQAkwmdsWhL-KuLUBg@mail.gmail.com>
Date: Tue, 4 Mar 2014 00:08:43 +0000
From: Pedro Ribeiro <pedrib@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq <bugtraq@...urityfocus.com>
Subject: [CVE-2014-0334] XSS in CMS made simple,
	plus other security issues

Hi,

CMS made simple has several security problems - XSS in admin console, weak
CSRF protection and a possible PHP object insertion via unserialize.

These vulnerabilities were considered unimportant by the CMS Made Simple
developers. Their reasoning was that they had to be exploited by a logged
in administrator user who is a trusted user anyway. When I explained to
them that with XSS all you need to do is send a malicious link to the
administrator, they responded back saying that they are confident in their
CSRF protection. I then sent them an analysis of their CSRF protection (see
the full advisory below), which I found to be quite weak. Finally they
commited to implement a half-assed mitigation for the CSRF token weakness
but said they will not fix the other issues.

Timeline:

- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com.
No reply.

- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum
asking to contact me back. A few hours later I was contacted by calguy and
sent him a more complete version of this advisory with recommendations.

- 09.12.2013: calguy responds saying these will not be fixed as you have to
be an admin user anyway to exploit them.

- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS
Made Simple project manager, responds with an official note saying they
will double the CSRF token length in a future release but will not fix the
rest of the issues.

- 14.12.2013: Handed over to CERT asking for help to try to reason with the
CMS Made Simple developers.

- 28.02.2014: Public disclosure by CERT

You can see the full report in my repo at
https://github.com/pedrib/PoC/blob/master/cmsmadesimple-1.11.9.txt

And the CERT report at http://www.kb.cert.org/vuls/id/526062

There are plenty of CMS out there that have a decent attitude towards
security. Steer well clear of this one.

Regards
Pedro Ribeiro
Agile Information Security

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ