CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1482 http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/ Description CMS Made Simple 1.7.0 and earlier is vulnerable to cross site scripting in the backend. The personal options page at admin/editprefs.php contains the field date_format_string, which is not properly escaped and can be filled with Javascript-code, e.g. ">. As this page cannot be viewed by the admin or other users, this only allows quite unlikely attack scenarios, so the impact should be considered very low. Vendor has released 1.7.1, which filters out HTML-tags and restricts the field size to 10 chars. Filtering out HTML-tags alone does not help, as one can still use JavaScript event handlers (e.g. onMouseOver), but 10 chars doesn't allow any useful code to be injected. The proper solution would be escaping the output including quotes. So this is fixed, but it's not a very clean solution. Disclosure Timeline 2010-04-30: Vendor contacted 2010-04-30: Vendor replied 2010-05-01: Vendor released 1.7.1 with fix 2010-05-07: Published advisory Credits This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno@hboeck.de http://schokokeks.org - professional webhosting