Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15581
HistoryJan 05, 2007 - 12:00 a.m.

CMS Made Simple non-permanent XSS

2007-01-0500:00:00
vulners.com
11

########################

/||` \ | || \` / ||\

#/ || |\\| ||` \/` || \#
#\ || | \` || |\/| || /#

\|||` \|||` |||/

http://www.nanoy.org

########################

Hacker.: NanoyMaster
CMS…: CMS Made Simple
Version: 1.0.2

[--------exploits----------]
1) Search XSS (non-permanent)
2) preview XSS (non-permanent)
3) Admin login XSS (non-permanent)
4) Outro

[--------------------[NM]–]
[-------1.Search XSS-------]
XSS in search eg:
http://<site>/<path>/index.php?mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=<XSS>&cntnt01submit=Submit

Patch: modules\Search\action.dosearch.php
Add the following to line 3:
$params['searchinput'] = htmlentities($params['searchinput']);

[--------------------[NM]–]
[------2.Preview XSS-------]
XSS in Preview eg:
http://<site>/<path>/preview.php?tmpfile=<xss>

Patch: preview.php
add the following to line 38:
$page = htmlentities($page);

[--------------------[NM]–]
[----3.Admin Login XSS-----]
Type in username:
"><xss>
then submit
(make your own post form for more than 15 chars)

Patch: http://<site>/<path>/admin/themes/<theme>/login.php
Add the following near the top:
<?php if(isset($_POST['username'])){$_POST['username'] = htmlentities($_POST['username']);} ?>

[--------------------[NM]–]
[----------0.Outro---------]
Well I hope you liked this whitepaper
Have fun screwing with sites that use this package
(Or patching your sites!)
Sorry only 2 holes were added, I'll try harder next time ;)
Check out my site: http://www.nanoy.org
theres a few challs etc.

peace (^^)__\/m
[--------------------[NM]–]