Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAMntfF04Vq=1v=jn=1DNjPTNHfPp5YASwnm6OdVKYxs5VsaCiA@mail.gmail.com>
Date: Fri, 3 Jul 2015 13:27:27 +0530
From: Anirudh Anand <anirudhanand722@...il.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE Request: GetSimple CMS: Multiple Stored XSS

Hello,

GetSimple <http://get-simple.info/> is a stand-a-alone, fully independent
and lite Content Management System.

Recently I found that Getsimple CMS is vulnerable to Stored Cross site
scripting attack.

*POC:*

While creating a new page, give the page title as
*new"onmouseover="alert(1)";* and in the content, give *<svg
onload="alert(10)">*. Now save it and then go to *pages.php* and then hover
the mouse over the cross mark (which is used to delete the post). You can
see that XSS is triggered.

Now, go to *backups.php* and hover the mouse over it and again you can see
the XSS triggered. Now open the backup and you can see that *<svg>* is
triggered there. But since there is regex checking in the main pages, the
*<svg>* won't get triggered in the main page.

Any normal user has the ability to add new pages and each time when a post
is saved, it gets automatically saved into *backups.php*

*Date of reporting:* 3rd July, 2015

*Exploit Author:* Anirudh Anand

*Vendor Homepage*: http://get-simple.info/

*Software Link:* http://get-simple.info/download/

*Version affected: *Possibly all version <= 3.3.5

*Tested on:* Linux:- Ubuntu, Debian, PHP - 5.5


The issue has been reported to the vendor:
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1067

Is it possible to assign CVE identifier for the same ?

Thank you,

-- 

Anirudh Anand
bi0s@...ITA
www.securethelock.com

*"Those who Say it cannot be done, should not interrupt the people doing
it"*

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.