CMS Made Simple Cross Site Scripting

`CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482  
  
References  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482  
http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html  
http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/  
  
Description  
  
CMS Made Simple 1.7.0 and earlier is vulnerable to cross site scripting in the  
backend. The personal options page at admin/editprefs.php contains the field  
date_format_string, which is not properly escaped and can be filled with  
Javascript-code, e.g. "><script>alert(1)</script>.  
  
As this page cannot be viewed by the admin or other users, this only allows  
quite unlikely attack scenarios, so the impact should be considered very low.  
  
Vendor has released 1.7.1, which filters out HTML-tags and restricts the field  
size to 10 chars. Filtering out HTML-tags alone does not help, as one can  
still use JavaScript event handlers (e.g. onMouseOver), but 10 chars doesn't  
allow any useful code to be injected. The proper solution would be escaping  
the output including quotes. So this is fixed, but it's not a very clean  
solution.  
  
Disclosure Timeline  
  
2010-04-30: Vendor contacted  
2010-04-30: Vendor replied  
2010-05-01: Vendor released 1.7.1 with fix  
2010-05-07: Published advisory  
  
Credits  
  
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of  
schokokeks.org webhosting.  
  
--   
Hanno Böck Blog: http://www.hboeck.de/  
GPG: 3DBD3B20 Jabber/Mail: [email protected]  
  
http://schokokeks.org - professional webhosting  
`