Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 3 Jul 2015 13:27:27 +0530
From: Anirudh Anand <anirudhanand722@...il.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE Request: GetSimple CMS: Multiple Stored XSS

Hello,

GetSimple <http://get-simple.info/> is a stand-a-alone, fully independent
and lite Content Management System.

Recently I found that Getsimple CMS is vulnerable to Stored Cross site
scripting attack.

*POC:*

While creating a new page, give the page title as
*new"onmouseover="alert(1)";* and in the content, give *<svg
onload="alert(10)">*. Now save it and then go to *pages.php* and then hover
the mouse over the cross mark (which is used to delete the post). You can
see that XSS is triggered.

Now, go to *backups.php* and hover the mouse over it and again you can see
the XSS triggered. Now open the backup and you can see that *<svg>* is
triggered there. But since there is regex checking in the main pages, the
*<svg>* won't get triggered in the main page.

Any normal user has the ability to add new pages and each time when a post
is saved, it gets automatically saved into *backups.php*

*Date of reporting:* 3rd July, 2015

*Exploit Author:* Anirudh Anand

*Vendor Homepage*: http://get-simple.info/

*Software Link:* http://get-simple.info/download/

*Version affected: *Possibly all version <= 3.3.5

*Tested on:* Linux:- Ubuntu, Debian, PHP - 5.5


The issue has been reported to the vendor:
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1067

Is it possible to assign CVE identifier for the same ?

Thank you,

-- 

Anirudh Anand
bi0s@...ITA
www.securethelock.com

*"Those who Say it cannot be done, should not interrupt the people doing
it"*

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ