XSS vulnerability in 3.3, allows deface of website

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
werybigmonk
Posts: 3
Joined: Tue Jun 07, 2011 1:15 pm

XSS vulnerability in 3.3, allows deface of website

Post by werybigmonk » Tue Jun 07, 2011 1:32 pm

There is a vulnerability in CMSimple 3.3 that allows to deface website using CMSimple.
http://www.htbridge.ch/advisory/xss_vul ... imple.html
In short, passing "> to site_title field of the form disrupts adm.php in a way that other settings, including password, can be changed.

My website was defaced using apparently this method.
I tried various solutions, but currently settled on disabling admin side completely.
Does anyone had similar problem or have any idea how to deal with this and keep the admin side?

mikey
Site Admin
Posts: 345
Joined: Tue May 27, 2008 3:15 am
Location: Sydney Australia
Contact:

Re: XSS vulnerability in 3.3, allows deface of website

Post by mikey » Tue Jun 07, 2011 1:53 pm

old news---------02 August 2010

no known issues :)
Vulnerability ID: HTBXXXXXXXX
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ )
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010
Public Disclosure: 16 August 2010
Latest Update: 13 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
do you have anything new regarding this ?

if not, this has been fixed..

24 hrs, then this thread will be deleted

werybigmonk
Posts: 3
Joined: Tue Jun 07, 2011 1:15 pm

Re: XSS vulnerability in 3.3, allows deface of website

Post by werybigmonk » Tue Jun 07, 2011 2:07 pm

I installed my CMSimple in february 2011 using latest version, 3.3 and still got hacked.
If issue in that advisory had been fixed there is another... I did copy everything from hacked site before I wiped it and this "> in title was the only thing different from last backup copy.

I'll try to find if anything other was changed.

mikey
Site Admin
Posts: 345
Joined: Tue May 27, 2008 3:15 am
Location: Sydney Australia
Contact:

Re: XSS vulnerability in 3.3, allows deface of website

Post by mikey » Tue Jun 07, 2011 2:11 pm

ok, please keep us advised,

thankk for the update

cheers

mikey
Site Admin
Posts: 345
Joined: Tue May 27, 2008 3:15 am
Location: Sydney Australia
Contact:

Re: XSS vulnerability in 3.3, allows deface of website

Post by mikey » Tue Jun 07, 2011 3:05 pm

update:

in order for that hack code to work, someone, still needs the correct password to work it

mikey

werybigmonk
Posts: 3
Joined: Tue Jun 07, 2011 1:15 pm

Re: XSS vulnerability in 3.3, allows deface of website

Post by werybigmonk » Tue Jun 07, 2011 9:21 pm

Okay, it seems that attacker used some other method of getting access and disquised it as this method, or used this method to deface site after getting password from config file.

Google pointed me at that vulnerability description and it did say "awaiting vendor solution". But I made a mistake when testing new site, as I was still logged on (www auth) when I ran this code.

Indeed, the only way to use this code to deface a website is to trick someone of visiting malicious web page while being logged on to cmsimle.

johnjdoe
Posts: 559
Joined: Tue May 20, 2008 6:32 am

Re: XSS vulnerability in 3.3, allows deface of website

Post by johnjdoe » Tue Jun 14, 2011 8:01 am

You could use the plugin GXSecurity to avoid such things ...
It's no warranty but better then nothing.

bjorn
Posts: 75
Joined: Thu Apr 28, 2011 3:13 pm

Re: XSS vulnerability in 3.3, allows deface of website

Post by bjorn » Wed Jun 15, 2011 1:33 am

johnjdoe wrote:You could use the plugin GXSecurity to avoid such things ...
GXSecurity might be good at some sites.

But if people don't change the default password from "test" to something else then they so to speak let the door open to anybody. If people can log into the admin part of the site no security plugin can prevent that harmful things might happen to your site.

Cheers!
Bjorn
http://www.cmsimple-le.eu

cmb
Posts: 12649
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: XSS vulnerability in 3.3, allows deface of website

Post by cmb » Sat Jul 14, 2012 4:26 pm

angelicalee8 wrote:I got hacked because I never changed the default password.
Are you sure? The attacker might as well have obtained your password by XSS or sniffing the HTTP traffic or even by obtaining your FTP credentials (e.g. via a trojan horse). So it's best, if you check any computer on which you might have stored the FTP credentials with a good malware scanner and to change the FTP password.
angelicalee8 wrote:Do you have any other insight that may be helpful from your experience?
  • Never use the default password on a publicly available server. Instead use a strong password, that you don't use elsewhere.
  • It's best, no to store FTP login credentials in your FTP client.
  • Check cmsimple/log.txt regularly for unauthorized access attempts.
  • Regularly check this forum for security related information (it's probably a good idea, to subscribe the security forum).
  • Always use the latest version of your CMSimple variant. BTW: which one do you use?
  • Regularly check your site (even if you don't want to make some changes), to detect any hack as early as possible.
  • While being logged in as administrator, don't visit other websites from the same browser and do not click any links in emails (or elsewhere). This avoids potential XSS and CSRF attacks.
  • Make regular backups of your website. This won't prevent any attack, but it might be helpful in case you have been hacked: just delete everything from the server and restore the latest "clean" backup.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply