Unsanitized & unescaped user supplied output in CMSimple_XH

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 12663
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Unsanitized & unescaped user supplied output in CMSimple_XH

Post by cmb » Tue Sep 27, 2016 4:30 pm

Due to the release of CMSimple 4.6.4, I've become aware of an unsanitized and unescaped output of user supplied input issue in CMSimple_XH. This issue can be exploited to temporarily deface the website, and it might even constitute an exploitable Cross-Site-Scripting (XSS) vulnerability.

As the cat is out of the bag, there's no need for further secrecy, so I'm offering the following quick fix for XH 1.6.7. Change cmsimple/functions line 675 to:

Code: Select all

        $o .= '<p>File ' . XH_hsc($fl) . '</p>'; 
I think that we'll release XH 1.6.8 with a fix for this issue plus a few out-standing bug fixes within the next two weeks.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Hartmut
Posts: 508
Joined: Sat Nov 05, 2011 6:13 pm
Location: Butzbach, Deutschland
Contact:

Re: Unsanitized & unescaped user supplied output in CMSimple

Post by Hartmut » Tue Sep 27, 2016 6:49 pm

Hello,

thank you for the information.
Is it possible when updating to 1.6.8 also the plugin UpdateCheck 1.4 add, so it does not need to install it manually?

Best wishes
Hartmut

Holger
Site Admin
Posts: 2858
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany
Contact:

Re: Unsanitized & unescaped user supplied output in CMSimple

Post by Holger » Wed Sep 28, 2016 10:02 am

Hartmut wrote:Is it possible when updating to 1.6.8 also the plugin UpdateCheck 1.4 add, so it does not need to install it manually?
Of course.
I'll put it together with a new version of the jQuery-Plugin on SF ASAP.

Holger

Maxim
Posts: 121
Joined: Thu Jun 13, 2013 6:52 am
Location: Запорожье
Contact:

When (Когда)

Post by Maxim » Thu Sep 29, 2016 8:40 am

Clean URLs as optional feature for CMSimple_XH
http://cmsimpleforum.com/viewtopic.php?f=29&t=7061
I think that we'll release XH 1.6.8 with a fix for this issue plus a few out-standing bug fixes within the next two weeks.
[ external image ] Когда приблизительно выход версии 1.7?
[ external image ] When approximately the release of version 1.7?

cmb
Posts: 12663
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Unsanitized & unescaped user supplied output in CMSimple

Post by cmb » Sun Dec 11, 2016 4:33 pm

FTR: Fixed with r1687.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply