cmsms102-xss.txt

`########################  
# /||` \ | || \` / ||\ #   
#/ || |\\| ||` \/` || \#   
#\ || | \` || |\/| || /#   
# \||_|` \_||_|` |_||/ #  
# http://www.nanoy.org #  
########################  
  
Hacker.: NanoyMaster  
CMS....: CMS Made Simple  
Version: 1.0.2  
  
[--------exploits----------]  
1) Search XSS (non-permanent)  
2) preview XSS (non-permanent)  
3) Admin login XSS (non-permanent)  
4) Outro  
  
[--------------------[NM]--]  
[-------1.Search XSS-------]  
XSS in search eg:  
http://<site>/<path>/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=<XSS>&cntnt01submit=Submit  
  
Patch: modules\Search\action.dosearch.php  
Add the following to line 3:  
$params['searchinput'] = htmlentities($params['searchinput']);  
  
[--------------------[NM]--]  
[------2.Preview XSS-------]  
XSS in Preview eg:  
http://<site>/<path>/preview.php?tmpfile=<xss>  
  
Patch: preview.php  
add the following to line 38:  
$page = htmlentities($page);  
  
[--------------------[NM]--]  
[----3.Admin Login XSS-----]  
Type in username:  
"><xss>  
then submit  
(make your own post form for more than 15 chars)  
  
Patch: http://<site>/<path>/admin/themes/<theme>/login.php  
Add the following near the top:  
<?php if(isset($_POST['username'])){$_POST['username'] = htmlentities($_POST['username']);} ?>  
  
[--------------------[NM]--]  
[----------0.Outro---------]  
Well I hope you liked this whitepaper  
Have fun screwing with sites that use this package  
(Or patching your sites!)  
Sorry only 2 holes were added, I'll try harder next time ;)  
Check out my site: http://www.nanoy.org  
theres a few challs etc.  
  
peace (^_^)___\/m  
[--------------------[NM]--]  
`