XSS vulnerability in 3.3, allows deface of website
-
- Posts: 3
- Joined: Tue Jun 07, 2011 1:15 pm
XSS vulnerability in 3.3, allows deface of website
There is a vulnerability in CMSimple 3.3 that allows to deface website using CMSimple.
http://www.htbridge.ch/advisory/xss_vul ... imple.html
In short, passing "> to site_title field of the form disrupts adm.php in a way that other settings, including password, can be changed.
My website was defaced using apparently this method.
I tried various solutions, but currently settled on disabling admin side completely.
Does anyone had similar problem or have any idea how to deal with this and keep the admin side?
http://www.htbridge.ch/advisory/xss_vul ... imple.html
In short, passing "> to site_title field of the form disrupts adm.php in a way that other settings, including password, can be changed.
My website was defaced using apparently this method.
I tried various solutions, but currently settled on disabling admin side completely.
Does anyone had similar problem or have any idea how to deal with this and keep the admin side?
Re: XSS vulnerability in 3.3, allows deface of website
old news---------02 August 2010
no known issues
if not, this has been fixed..
24 hrs, then this thread will be deleted
no known issues
do you have anything new regarding this ?Vulnerability ID: HTBXXXXXXXX
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ )
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010
Public Disclosure: 16 August 2010
Latest Update: 13 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
if not, this has been fixed..
24 hrs, then this thread will be deleted
-
- Posts: 3
- Joined: Tue Jun 07, 2011 1:15 pm
Re: XSS vulnerability in 3.3, allows deface of website
I installed my CMSimple in february 2011 using latest version, 3.3 and still got hacked.
If issue in that advisory had been fixed there is another... I did copy everything from hacked site before I wiped it and this "> in title was the only thing different from last backup copy.
I'll try to find if anything other was changed.
If issue in that advisory had been fixed there is another... I did copy everything from hacked site before I wiped it and this "> in title was the only thing different from last backup copy.
I'll try to find if anything other was changed.
Re: XSS vulnerability in 3.3, allows deface of website
ok, please keep us advised,
thankk for the update
cheers
thankk for the update
cheers
Re: XSS vulnerability in 3.3, allows deface of website
update:
in order for that hack code to work, someone, still needs the correct password to work it
mikey
in order for that hack code to work, someone, still needs the correct password to work it
mikey
-
- Posts: 3
- Joined: Tue Jun 07, 2011 1:15 pm
Re: XSS vulnerability in 3.3, allows deface of website
Okay, it seems that attacker used some other method of getting access and disquised it as this method, or used this method to deface site after getting password from config file.
Google pointed me at that vulnerability description and it did say "awaiting vendor solution". But I made a mistake when testing new site, as I was still logged on (www auth) when I ran this code.
Indeed, the only way to use this code to deface a website is to trick someone of visiting malicious web page while being logged on to cmsimle.
Google pointed me at that vulnerability description and it did say "awaiting vendor solution". But I made a mistake when testing new site, as I was still logged on (www auth) when I ran this code.
Indeed, the only way to use this code to deface a website is to trick someone of visiting malicious web page while being logged on to cmsimle.
Re: XSS vulnerability in 3.3, allows deface of website
You could use the plugin GXSecurity to avoid such things ...
It's no warranty but better then nothing.
It's no warranty but better then nothing.
Re: XSS vulnerability in 3.3, allows deface of website
GXSecurity might be good at some sites.johnjdoe wrote:You could use the plugin GXSecurity to avoid such things ...
But if people don't change the default password from "test" to something else then they so to speak let the door open to anybody. If people can log into the admin part of the site no security plugin can prevent that harmful things might happen to your site.
Cheers!
Bjorn
http://www.cmsimple-le.eu
Re: XSS vulnerability in 3.3, allows deface of website
Are you sure? The attacker might as well have obtained your password by XSS or sniffing the HTTP traffic or even by obtaining your FTP credentials (e.g. via a trojan horse). So it's best, if you check any computer on which you might have stored the FTP credentials with a good malware scanner and to change the FTP password.angelicalee8 wrote:I got hacked because I never changed the default password.
angelicalee8 wrote:Do you have any other insight that may be helpful from your experience?
- Never use the default password on a publicly available server. Instead use a strong password, that you don't use elsewhere.
- It's best, no to store FTP login credentials in your FTP client.
- Check cmsimple/log.txt regularly for unauthorized access attempts.
- Regularly check this forum for security related information (it's probably a good idea, to subscribe the security forum).
- Always use the latest version of your CMSimple variant. BTW: which one do you use?
- Regularly check your site (even if you don't want to make some changes), to detect any hack as early as possible.
- While being logged in as administrator, don't visit other websites from the same browser and do not click any links in emails (or elsewhere). This avoids potential XSS and CSRF attacks.
- Make regular backups of your website. This won't prevent any attack, but it might be helpful in case you have been hacked: just delete everything from the server and restore the latest "clean" backup.
Christoph M. Becker – Plugins for CMSimple_XH