Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning

🗓️ 04 May 2016 00:00:00Reported by Mickaël WalterType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 53 Views

CMS Made Simple web cache poisoning via Host Heade

Related
Code
ReporterTitlePublishedViews
Family
0day.today		CMS Made Simple < 2.1.3 / < 1.12.1 - Web Server Cache Poisoning
4 May 201600:00
zdt
Circl		CVE-2016-2784
4 May 201600:00
circl
CNVD		CMS Made Simple Cross-Site Scripting Vulnerability
7 May 201600:00
cnvd
CVE		CVE-2016-2784
26 May 201614:00
cve
Cvelist		CVE-2016-2784
26 May 201614:00
cvelist
EUVD		EUVD-2016-3858
7 Oct 202500:30
euvd
exploitpack		CMS Made Simple 1.12.1 2.1.3 - Web Server Cache Poisoning
4 May 201600:00
exploitpack
NVD		CVE-2016-2784
26 May 201614:59
nvd
OpenVAS		CMS Made Simple Multiple Vulnerabilities (Jun 2016) - Active Check
7 Jun 201600:00
openvas
Packet Storm		CMS Made Simple Cache Poisoning
3 May 201600:00
packetstorm
Rows per page
=============================================
Web Server Cache Poisoning in CMS Made Simple
=============================================

CVE-2016-2784

Product Description
===================

CMS Made Simple is a great tool with many plugins to publish content on the Web. It aims to 
be simple to use by end users and to provide a secure and robust website.

Website: http://www.cmsmadesimple.org/

Description
===========

A remote unauthenticated attacker can insert malicious content in a CMS Made Simple 
installation by poisoning the web server cache when Smarty Cache is activated by modifying 
the Host HTTP Header in his request.

The vulnerability can be triggered only if the Host header is not part of the web server 
routing process (e.g. if several domains are served by the same web server).

This can lead to phishing attacks because of the modification of the site's links, 
defacement or Cross-Site-Scripting attacks by a lack of filtering of HTML entities in 
$_SERVER variable.

**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-20
**CVSS Base score**: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

----------------
Proof of Concept
----------------

Request that shows improper HTML entities filtering and will insert 
' onload='javacript:alert(Xss) in the pages :

  GET / HTTP/1.1
  Host: ' onload='javascrscript:ipt:alert(Xss)
  Accept: */*
  Accept-Encoding: gzip, deflate
  Connection: close
  
Request that changes the root domain for all links and allows to redirect to external 
websites : 

  GET / HTTP/1.1
  Host: www.malicious.com
  Accept: */*
  Accept-Encoding: gzip, deflate
  Connection: close
  
Solution
========

Use the variable $_SERVER['SERVER_NAME'] instead of the variable $_SERVER['HTTP_HOST'] 
given that the server name is correctly defined or use an application specific 
constant.

Fixes
=====

Upgrade to CMS Made Simple 2.1.3 or 1.12.2.

See http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia and 
http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point for upgrade 
instructions.

Mitigation : disable Smarty caching in the admin panel.

Affected Versions
=================

CMS Made Simple < 2.1.3 and < 1.12.2

Vulnerability Disclosure Timeline
=================================

02-24-2016: Vendor contacted
02-24-2016: Vulnerability confirmed by the vendor
03-01-2016: CVE identifier assigned
03-28-2016 & 04-16-2016: Vendor patch release
05-03-2016: Public Disclosure

Credits
=======

 * Mickaël Walter, I-Tracing (lab -at- i-tracing -dot- com)
 
 Website: http://www.i-tracing.com/

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 May 2016 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 22.6
CVSS 34.7
EPSS0.06088
cms made simpleweb servercache poisoningsmarty cachevulnerabilitypatchsecurity riskcwe-20cve-2016-2784i-tracingcross-site-scriptingmitigationexternal websitesvendor disclosure
53