vulnerability-CMS-Made-Simple

We found vulnerability of CMS Made Simple

Details about Made Simple CMS

CMS Made Simple (CMSMS) is a free, open source (GPL) content management system (CMS) to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management. (Source: wikipedia)

It is possible for an authenticated user with admin access to misuse XSS vulnerability in Admin panel and in extensions. The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains ability to execute own client-side code in context of another user. This can lead to taking actions under other admin user account. Also passwords are stored as salted MD5 hash.

Vulnerabilities

XSS v Admin search
Payload: <script>alert(document.domain)</script>
Description: After insert of payload to input, it is needed to reload webpage to trigger payload
Stored XSS v manage shortcuts
Payload: <script>alert(document.domain)</script>
Parameter: name
Stored XSS v global settings, content editing settings, maintenance mode
Payload: <script>alert(document.domain)</script>
Stored XSS v global settings
Payload: <script>alert(1)</script>
Parameter: global metadata
Description: Also triggers in visitors site
Stored XSS in title of article
Payload: XSS <script>alert(document.domain)</script>
Description: Triggers in admin area and article content triggers also in visitors site. Here is needed to modify request with proxy, because website encodes few characters before sending.
Stored XSS v settings - content manager
Payload: <script>alert(document.domain)</script>

Because developers decided to not fix these vulnerabilities, best advice is to use another - regularly updated CMS, like Wordpress.

These vulnerabilities were discovered by Tomas Volny from Citadelo.

About the author

Citadelo
Citadelo
Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic
Show

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.
Show

MODX Revolution CMS 2.5.6

Blog | | Citadelo
Modx Revolution is great CMS, that is Open Source, UX friendly and easy to use. However, in a version 2.5.6 and lower we have identified multiple vulnerabilities.
Show

WebsiteBaker CMS 2.10.0 – Multiple SQL Injection Vulnerabilities

Blog | | Citadelo
The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WebsiteBaker database user
Show