Page 1 of 1

Unsanitized & unescaped user supplied output in CMSimple_XH

Posted: Tue Sep 27, 2016 4:30 pm
by cmb
Due to the release of CMSimple 4.6.4, I've become aware of an unsanitized and unescaped output of user supplied input issue in CMSimple_XH. This issue can be exploited to temporarily deface the website, and it might even constitute an exploitable Cross-Site-Scripting (XSS) vulnerability.

As the cat is out of the bag, there's no need for further secrecy, so I'm offering the following quick fix for XH 1.6.7. Change cmsimple/functions line 675 to:

Code: Select all

        $o .= '<p>File ' . XH_hsc($fl) . '</p>'; 
I think that we'll release XH 1.6.8 with a fix for this issue plus a few out-standing bug fixes within the next two weeks.

Re: Unsanitized & unescaped user supplied output in CMSimple

Posted: Tue Sep 27, 2016 6:49 pm
by Hartmut
Hello,

thank you for the information.
Is it possible when updating to 1.6.8 also the plugin UpdateCheck 1.4 add, so it does not need to install it manually?

Best wishes
Hartmut

Re: Unsanitized & unescaped user supplied output in CMSimple

Posted: Wed Sep 28, 2016 10:02 am
by Holger
Hartmut wrote:Is it possible when updating to 1.6.8 also the plugin UpdateCheck 1.4 add, so it does not need to install it manually?
Of course.
I'll put it together with a new version of the jQuery-Plugin on SF ASAP.

Holger

When (Когда)

Posted: Thu Sep 29, 2016 8:40 am
by Maxim
Clean URLs as optional feature for CMSimple_XH
http://cmsimpleforum.com/viewtopic.php?f=29&t=7061
I think that we'll release XH 1.6.8 with a fix for this issue plus a few out-standing bug fixes within the next two weeks.
[ external image ] Когда приблизительно выход версии 1.7?
[ external image ] When approximately the release of version 1.7?

Re: Unsanitized & unescaped user supplied output in CMSimple

Posted: Sun Dec 11, 2016 4:33 pm
by cmb
FTR: Fixed with r1687.