--nextPart1603259.dRI7sHy9J4
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482 
http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html 
http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/ 

Description

CMS Made Simple 1.7.0 and earlier is vulnerable to cross site scripting in the
backend. The personal options page at admin/editprefs.php contains the field
date_format_string, which is not properly escaped and can be filled with
Javascript-code, e.g. ">.

As this page cannot be viewed by the admin or other users, this only allows
quite unlikely attack scenarios, so the impact should be considered very low.

Vendor has released 1.7.1, which filters out HTML-tags and restricts the field
size to 10 chars. Filtering out HTML-tags alone does not help, as one can
still use JavaScript event handlers (e.g. onMouseOver), but 10 chars doesn't
allow any useful code to be injected. The proper solution would be escaping
the output including quotes. So this is fixed, but it's not a very clean
solution.

Disclosure Timeline

2010-04-30: Vendor contacted
2010-04-30: Vendor replied
2010-05-01: Vendor released 1.7.1 with fix
2010-05-07: Published advisory

Credits

This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of 
schokokeks.org webhosting.

=2D- 
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/ 
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de 

http://schokokeks.org - professional webhosting 

--nextPart1603259.dRI7sHy9J4
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)

iEYEABECAAYFAkvkCqgACgkQr2QksT29OyCetwCeJ25hAiBF3JTD5V9Oeb+oHo35
QX4AoKCwGmmUa1DADwH5XNV7pOUdqsjt
=m1BJ
-----END PGP SIGNATURE-----

--nextPart1603259.dRI7sHy9J4--