Date: Fri, 3 Jul 2015 13:27:27 +0530 From: Anirudh Anand <anirudhanand722@...il.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE Request: GetSimple CMS: Multiple Stored XSS Hello, GetSimple <http://get-simple.info/> is a stand-a-alone, fully independent and lite Content Management System. Recently I found that Getsimple CMS is vulnerable to Stored Cross site scripting attack. *POC:* While creating a new page, give the page title as *new"onmouseover="alert(1)";* and in the content, give *<svg onload="alert(10)">*. Now save it and then go to *pages.php* and then hover the mouse over the cross mark (which is used to delete the post). You can see that XSS is triggered. Now, go to *backups.php* and hover the mouse over it and again you can see the XSS triggered. Now open the backup and you can see that *<svg>* is triggered there. But since there is regex checking in the main pages, the *<svg>* won't get triggered in the main page. Any normal user has the ability to add new pages and each time when a post is saved, it gets automatically saved into *backups.php* *Date of reporting:* 3rd July, 2015 *Exploit Author:* Anirudh Anand *Vendor Homepage*: http://get-simple.info/ *Software Link:* http://get-simple.info/download/ *Version affected: *Possibly all version <= 3.3.5 *Tested on:* Linux:- Ubuntu, Debian, PHP - 5.5 The issue has been reported to the vendor: https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1067 Is it possible to assign CVE identifier for the same ? Thank you, -- Anirudh Anand bi0s@...ITA www.securethelock.com *"Those who Say it cannot be done, should not interrupt the people doing it"*
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.