XSS vulnerability in 3.3, allows deface of website

[werybigmonk]

There is a vulnerability in CMSimple 3.3 that allows to deface website using CMSimple.
http://www.htbridge.ch/advisory/xss_vul ... imple.html
In short, passing "> to site_title field of the form disrupts adm.php in a way that other settings, including password, can be changed.

My website was defaced using apparently this method.
I tried various solutions, but currently settled on disabling admin side completely.
Does anyone had similar problem or have any idea how to deal with this and keep the admin side?

[mikey]

old news---------02 August 2010

no known issues

Vulnerability ID: HTBXXXXXXXX
Product: CMSimple
Vendor: Peter Andreas Harteg ( http://www.cmsimple.org/ )
Vulnerable Version: 3.3 and Probably Prior Versions
Vendor Notification: 02 August 2010
Public Disclosure: 16 August 2010
Latest Update: 13 August 2010
Vulnerability Type: XSS (Cross Site Scripting)

do you have anything new regarding this ?

if not, this has been fixed..

24 hrs, then this thread will be deleted

[werybigmonk]

I installed my CMSimple in february 2011 using latest version, 3.3 and still got hacked.
If issue in that advisory had been fixed there is another... I did copy everything from hacked site before I wiped it and this "> in title was the only thing different from last backup copy.

I'll try to find if anything other was changed.

[mikey]

ok, please keep us advised,

thankk for the update

cheers

[mikey]

update:

in order for that hack code to work, someone, still needs the correct password to work it

mikey

[werybigmonk]

Okay, it seems that attacker used some other method of getting access and disquised it as this method, or used this method to deface site after getting password from config file.

Google pointed me at that vulnerability description and it did say "awaiting vendor solution". But I made a mistake when testing new site, as I was still logged on (www auth) when I ran this code.

Indeed, the only way to use this code to deface a website is to trick someone of visiting malicious web page while being logged on to cmsimle.

[johnjdoe]

You could use the plugin GXSecurity to avoid such things ...
It's no warranty but better then nothing.

[bjorn]

You could use the plugin GXSecurity to avoid such things ...

GXSecurity might be good at some sites.

But if people don't change the default password from "test" to something else then they so to speak let the door open to anybody. If people can log into the admin part of the site no security plugin can prevent that harmful things might happen to your site.

Cheers!
Bjorn
http://www.cmsimple-le.eu

[cmb]

I got hacked because I never changed the default password.

Are you sure? The attacker might as well have obtained your password by XSS or sniffing the HTTP traffic or even by obtaining your FTP credentials (e.g. via a trojan horse). So it's best, if you check any computer on which you might have stored the FTP credentials with a good malware scanner and to change the FTP password.

Do you have any other insight that may be helpful from your experience?

• Never use the default password on a publicly available server. Instead use a strong password, that you don't use elsewhere.
• It's best, no to store FTP login credentials in your FTP client.
• Check cmsimple/log.txt regularly for unauthorized access attempts.
• Regularly check this forum for security related information (it's probably a good idea, to subscribe the security forum).
• Always use the latest version of your CMSimple variant. BTW: which one do you use?
• Regularly check your site (even if you don't want to make some changes), to detect any hack as early as possible.
• While being logged in as administrator, don't visit other websites from the same browser and do not click any links in emails (or elsewhere). This avoids potential XSS and CSRF attacks.
• Make regular backups of your website. This won't prevent any attack, but it might be helpful in case you have been hacked: just delete everything from the server and restore the latest "clean" backup.