CMSimple Support Forum Please search before asking - To post you must register.    FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  CMSimple XXS vulnerable          CMSimple Support Forum Forum Index -> Bugs View previous topic :: View next topic   Author Message harteg Site Admin Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark Posted: Thu Jul 21, 2005 10:58 am    Post subject: CMSimple XXS vulnerable Fix: function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search; should be replaced with: function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search)); Will be fixed in next beta. Last edited by harteg on Tue Jul 26, 2005 12:07 pm; edited 1 time in total Back to top djot Joined: 31 Dec 2003 Posts: 2436 Location: planet earth Posted: Thu Jul 21, 2005 11:13 am    Post subject: - Edit: The same may occur with all other used variables. So make sure you check them all (function sanitize() would be a good idea for this). Also, I suggest to remove the link showing the XSS. djot PS: Why you (mis-)use cmsimple.de for this? - Last edited by djot on Thu Jul 21, 2005 12:06 pm; edited 6 times in total Back to top djot Joined: 31 Dec 2003 Posts: 2436 Location: planet earth Posted: Thu Jul 21, 2005 11:18 am    Post subject: - By the way ... searching for nothing ("", just clicking the search button) finds results on many pages. djot - Back to top Jens Joined: 17 Oct 2004 Posts: 2271 Posted: Thu Jul 21, 2005 12:22 pm    Post subject: but this seems to be only temporary? nothing is actually changed at the website...? Back to top djot Joined: 31 Dec 2003 Posts: 2436 Location: planet earth Posted: Thu Jul 21, 2005 12:27 pm    Post subject: - I was asking me the same, but did remove that from above. You can't access anything with this, since the input is shown in an echo function (not in exec() or somethin alike). So no access to PHP, nor files, nor cookies nor other variables. And adding JS XSS is totally useless, since everything you can access is clientside (the hackers browser). All this example shows is that the search input (and I guess many more variables) are not checked for correct user input. djot - Back to top harteg Site Admin Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark Posted: Tue Jul 26, 2005 12:08 pm    Post subject: There is a page about the subject at http://www.securitytracker.com/alerts/2005/Jul/1014556.html (Removed the code and the link to cmsimple.de from my first posting). Back to top djot Joined: 31 Dec 2003 Posts: 2436 Location: planet earth Posted: Tue Jul 26, 2005 2:38 pm    Post subject: - Harteg wrote: (Removed the code and the link to cmsimple.de from my first posting). Thx. We don't want to wake up sleeping dogs, won't we? Also jens would feel better with this :) djot - Back to top mulder Joined: 19 Jul 2005 Posts: 625 Location: Behind your ... Posted: Thu Jul 28, 2005 12:10 pm    Post subject: djot wrote: By the way ... searching for nothing ("", just clicking the search button) finds results on many pages. Try something like : Code: if($f=='search'){$title=$tx['title']['search'];$ta=array();for($i=0;$i<$hl;$i++){if($search!=''&&@preg_match('/'.preg_quote($search,'/').'/i',$c[$hc[$i]]))$ta[]=$hc[$i];}$o.='<h1>'.$tx['search']['result'].'</h1><p>"'.htmlspecialchars(stripslashes($search)).'" ';if(count($ta)==0)$o.=$tx['search']['notfound'].'.';else{$o.=$tx['search']['foundin'].' '.count($ta). ' ';if(count($ta)>1)$o.=$tx['search']['pgplural'];else $o.=$tx['search']['pgsingular'];$o.=':';}$o.='</p>'.li($ta,'search');} just added Code: $search!=''&& Back to top djot Joined: 31 Dec 2003 Posts: 2436 Location: planet earth Posted: Thu Jul 28, 2005 12:15 pm    Post subject: well, this was a hint for Peter, to fix that in the official distribution... Back to top harteg Site Admin Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark Posted: Mon Aug 08, 2005 11:52 am    Post subject: Added it at http://www.cmsimple.dk/?Downloads:Future_development Back to top walter_ps2 Joined: 29 Aug 2005 Posts: 1 Posted: Mon Aug 29, 2005 6:25 pm    Post subject: I see that the fix is for only 2.4 version ! But I have a 2.3 also... do you have a solution for that old version ? Or it's better to upgrade to 2.4 and fix it ? Back to top harteg Site Admin Joined: 12 May 2003 Posts: 2914 Location: Rutsker, Bornholm, Denmark Posted: Tue Aug 30, 2005 7:09 am    Post subject: I didn't fix it in 2.4 as far as I remember, but in the beta 2.5 - it is only the one-liner function printlink() needed to be update (see first post). Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         CMSimple Support Forum Forum Index -> Bugs All times are GMT Page 1 of 1   Jump to: Select a forum CMSimple support----------------FAQsGeneralInstallationThe editorChanging layoutFuture developmentBugsReferencesAddons and pluginsTemplates CMSimple support in other languages----------------DanskDeutschFrançais  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group