BID:12303

CMSimple Multiple Remote Input Validation Vulnerabilities

Info

CMSimple Multiple Remote Input Validation Vulnerabilities

Bugtraq ID:	12303
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 19 2005 12:00AM
Updated:	Jan 19 2005 12:00AM
Credit:	The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue.
Vulnerable:	CMSimple Content Management System 2.4 Beta 4 CMSimple Content Management System 2.4 Beta 3 CMSimple Content Management System 2.4 Beta 2 CMSimple Content Management System 2.4 Beta 1 CMSimple Content Management System 2.4 Beta CMSimple Content Management System 2.3 Beta 5 CMSimple Content Management System 2.3 Beta 4 CMSimple Content Management System 2.3 Beta 3 CMSimple Content Management System 2.3 Beta 2 CMSimple Content Management System 2.3 Beta 1 CMSimple Content Management System 2.3 CMSimple Content Management System 2.2 Beta 4 CMSimple Content Management System 2.2 Beta 3 CMSimple Content Management System 2.2 Beta 2 CMSimple Content Management System 2.2 Beta 1 CMSimple Content Management System 2.2 CMSimple Content Management System 2.1 CMSimple Content Management System 2.0 Beta 4 CMSimple Content Management System 2.0 Beta 3 CMSimple Content Management System 2.0 Beta 2 CMSimple Content Management System 2.0 Beta 1 CMSimple Content Management System 1.3 Beta 2 CMSimple Content Management System 1.3 Beta 1 CMSimple Content Management System 1.2 CMSimple Content Management System 1.1 CMSimple Content Management System 1.0 CMSimple Content Management System Beta 2 CMSimple Content Management System Beta 1

Not Vulnerable:	CMSimple Content Management System 2.4 Beta 5

Discussion

CMSimple Multiple Remote Input Validation Vulnerabilities

Multiple input validation vulnerabilities affect CMSimple. These issues are due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.

The first issue is an HTML injection vulnerability in the guestbook functionality of the application. The second issue is a cross-site script vulnerability in the search functionality of the application.

An attacker may leverage these issues to have arbitrary script code executed in the context of the vulnerable Web site. This will facilitate theft of cookie based authentication credentials as well as other attacks.

Exploit / POC

CMSimple Multiple Remote Input Validation Vulnerabilities

No exploit is required to leverage these issues.

Solution / Fix

CMSimple Multiple Remote Input Validation Vulnerabilities

Solution:
The vendor has released an upgrade dealing with this issue. Please contact the vendor for more information regarding obtaining the upgrade.

CMSimple Content Management System 2.3

CMSimple CMSimple2_4_beta5_cms.php
http://www.cmsimple.dk/?download=CMSimple2_4_beta5_cms.php

References

CMSimple Multiple Remote Input Validation Vulnerabilities

References:

CMSimple Content Management - Beta version (CMSimple)
CMSimple Home Page (CMSimple)