[Bkis-02-2010] Multiple Vulnerabilities in CMS Made Simple
CMS Made Simple is a free content management system (CMS) written in PHP, available at www.cmsmadesimple.org. In March, 2010, Bkis Security discovered some XSS and CSRF vulnerabilities in CMS Made Simple 1.7.1. Taking advantage of these vulnerabilities, hacker is able to insert pieces of code into the path's link to execute in user's browser, causing the loss of cookies and session. Hacker is also able to trick users into manipulating some of the system's functions without users' knowledge. Bkis has informed the CMS Made Simple's development team of these vulnerabilities.
Details: http://security.bkis.com/multiple-vulnerabilities-in-cms-made-simple/ SVRT Advisory: Bkis-02-2010 Initial vendor notification: 05/12/2010 Release Date: 06/21/2010 Update Date: 06/21/2010 Discovered by: Truong Thao Nguyen, Do Hoang Bach, Cao Xuan Sang Attack Type: XSS, CSRF Security Rating: High Impact: Code Execution Affected Software: CMS Made Simple (version <= 1.7.1)
The XSS vulnerability is found in the following modules: - Add Pages - Add Global Content - Edit Global Content - Add Article - Add Category - Add Field Definition - Add Shortcut
The CSRF vulnerability is found in the following module: - Changes group permission
Since a task is performed without seeking users' prior permission first, users can be tricked into performing a task without awareness. Thus, hacker is able to perform malicious actions via legitimate users.
In addition, the vulnerabilities are all found in content management section of CMSMadeSimple. Thus, the victims of such vulnerabilities are the system's administrators, editors and designers.
CMSMadeSimple's development team has not issued the patches for these vulnerabilities yet. Thus, Bkis strongly recommends individuals and organizations that use this software to take caution when receiving links, and at the same time keep track of the information about the latest software version to update.
Bui Quang Minh Manager - Vuln Team - Bkis Security - Bkis
Office : Hitech building - 1A Dai Co Viet, Hanoi Email : email@example.com Website : www.bkav.com.vn; www.bkav.com Blog : security.bkis.com