Edgescan’s Senior Security Consultant Guram Javakhishvili has discovered several vulnerabilities across a number of popular applications. Some of these are not yet publicly available. As soon as the vendor implements the fixes, those issues will also be added to this list and article will be updated accordingly.
CMS Made Simple 2.2.13
CMS Made Simple is a Content Management System that was first released in July 2004 as an open source General Public License (GPL) package. It is currently used in both commercial and personal projects. It’s built using PHP and the Smarty Engine, which keeps content, functionality, and templates separated.
Guram discovered 5 vulnerabilities in CMS Made Simple 2.2.13. Three are resolved in the latest update 2.2.14 and 2 are outstanding.
Issue: Insufficient validation of user input on the authenticated part of the CMS MadeSimple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameter: m1_newdirname
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12224
Issue: Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameter: m1_name
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12225
Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the content being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: metadata, pagedata
Severity: Critical
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12226
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the User/User’s Preferences being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: date_format_string
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12227
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the News being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: m1_title
Severity: Critical
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12228
LimeSurvey
LimeSurvey is a free and open source on-line statistical survey web app written in PHP. As a web server-based software it enables users using a web interface to develop and publish on-line surveys, collect responses, create statistics, and export the resulting data to other applications.
Guram discovered three vulnerabilities in LimeSurvey 3.21.1 which have been fixed in the latest version 3.21.2.
LimeSurvey latest version 3.21.1 & LimeSurvey development version 4.0.0 suffer from reflective and persistent (Stored) cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: firstname, lastname
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15680
Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: Quota%5Bname%5D
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15681
Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: ParticipantAttributeNamesDropdown
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15672
Steps you should take to secure your CMS applications from hacking
Here’s the list of steps to tackle and prevent attacks against your CMS:
- Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date.
- At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database.
- Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used.
- Avoid use of default usernames (e.g., ‘admin’) enforce strong password policy for your CMS’s admin area and server to protect them from the brute force attacks.
- Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional layer of protection.
- Use another layer of protection (WAF) Web Application Firewall, which automatically protects against all or most of the vulnerabilities. Install security plugins to actively prevent hacking attempts. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. These plugins notify the weaknesses inherent in each platform and halt the hacking attempts that could threaten your application. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application.
- More training and resources available from Edgescan blog post, ‘Secure Application Development Training Material’.
“Cross Site Scripting (XSS) was discovered in 1999 and is massively prevalent across web applications today. Cross site scripting flaws are the most prevalent flaw in web applications today. Over 12% of vulnerabilities across the fullstack were attributed to XSS in the Edgescan 2020 Vulnerability Stats Report.
