CMSimple XXS vulnerable

harteg · **Posted:** Thu Jul 21, 2005 10:58 am

Fix:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;

should be replaced with:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));

Will be fixed in next beta.

djot · **Posted:** Thu Jul 21, 2005 11:13 am

-
Edit:

The same may occur with all other used variables. So make sure you check them all (function sanitize() would be a good idea for this).

Also, I suggest to remove the link showing the XSS.

djot

PS: Why you (mis-)use cmsimple.de for this?
-

djot · **Posted:** Thu Jul 21, 2005 11:18 am

-
By the way ... searching for nothing ("", just clicking the search button) finds results on many pages.

djot
-

Jens · **Joined:** Sun Oct 17, 2004 9:47 pm **Posts:** 2505

but this seems to be only temporary? nothing is actually changed at the website...?

djot · **Posted:** Thu Jul 21, 2005 12:27 pm

-
I was asking me the same, but did remove that from above.

You can't access anything with this, since the input is shown in an echo function (not in exec() or somethin alike).

So no access to PHP, nor files, nor cookies nor other variables. And adding JS XSS is totally useless, since everything you can access is clientside (the hackers browser).

All this example shows is that the search input (and I guess many more variables) are not checked for correct user input.

djot
-

harteg · **Posted:** Tue Jul 26, 2005 12:08 pm

There is a page about the subject at http://www.securitytracker.com/alerts/2 ... 14556.html

(Removed the code and the link to cmsimple.de from my first posting).

djot · **Posted:** Tue Jul 26, 2005 2:38 pm

-

Harteg wrote:

(Removed the code and the link to cmsimple.de from my first posting).

Thx. We don't want to wake up sleeping dogs, won't we? Also jens would feel better with this :)

djot
-

mulder · **Posted:** Thu Jul 28, 2005 12:10 pm

djot wrote:

By the way ... searching for nothing ("", just clicking the search button) finds results on many pages.

Try something like :

Code:

if($f=='search'){$title=$tx['title']['search'];$ta=array();for($i=0;$i<$hl;$i++){if($search!=''&&@preg_match('/'.preg_quote($search,'/').'/i',$c[$hc[$i]]))$ta[]=$hc[$i];}$o.='<h1>'.$tx['search']['result'].'</h1><p>"'.htmlspecialchars(stripslashes($search)).'" ';if(count($ta)==0)$o.=$tx['search']['notfound'].'.';else{$o.=$tx['search']['foundin'].' '.count($ta). ' ';if(count($ta)>1)$o.=$tx['search']['pgplural'];else $o.=$tx['search']['pgsingular'];$o.=':';}$o.='</p>'.li($ta,'search');}

just added

Code:

$search!=''&&

djot · **Posted:** Thu Jul 28, 2005 12:15 pm

well, this was a hint for Peter, to fix that in the official distribution...

harteg · **Posted:** Mon Aug 08, 2005 11:52 am

Added it at http://www.cmsimple.dk/?Downloads:Future_development

walter_ps2 · **Joined:** Mon Aug 29, 2005 6:05 pm **Posts:** 1

I see that the fix is for only 2.4 version !

But I have a 2.3 also... do you have a solution for that old version ? Or it's better to upgrade to 2.4 and fix it ?

harteg · **Posted:** Tue Aug 30, 2005 7:09 am

I didn't fix it in 2.4 as far as I remember, but in the beta 2.5 - it is only the one-liner function printlink() needed to be update (see first post).

Archived CMSimple Support Forum

CMSimple XXS vulnerable

Who is online