GetSimpleCMS 3.3.5: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc

  • Vulnerability: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc
  • Affected Software: GetSimple CMS
  • Affected Version: 3.3.5 (probably also prior versions)
  • Partially Patched Version: 3.3.6
  • Risk: Medium-High
  • Vendor Contacted: 2015-06-14
  • Vendor Partial Fix: 2015-07-14
  • Public Disclosure: 2015-07-15

GetSimple CMS is a content management system written in PHP. It does not use a database, but xml files instead.

There are various vulnerabilities in version 3.3.5, most of which are fixed in version 3.3.6.

For version 3.3.6 it is important that the htaccess file of GetSimple CMS can be read by the server, as otherwise passwords and other sensitive information will be disclosed (the functionality of the website itself is not affected by an unread htaccess file, so it might go unnoticed).

ZenPhoto 1.4.8: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution

  • Vulnerability: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution
  • Affected Software: ZenPhoto
  • Affected Version: 1.4.8 (probably also prior versions)
  • Patched Version: 1.4.9
  • Risk: Medium
  • Vendor Contacted: 2015-05-18
  • Vendor Fix: 2015-07-09
  • Public Disclosure: 2015-07-10

ZenPhoto is an open-source CMS written in PHP with a focus on hosting images. There are multiple vulnerabilities in version 1.4.8, including SQL injection and XSS vulnerabilities.

TinyWebGallery 2.3.2: Reflected XSS

  • Vulnerability: Reflected XSS
  • Affected Software: TinyWebGallery
  • Affected Version: 2.3.2 (probably also prior versions)
  • Patched Version: 2.3.3
  • Risk: Low-Medium
  • Vendor Contacted: 2015-05-26
  • Vendor Fix: 2015-06-15
  • Public Disclosure: 2015-06-27

There is an XSS vulnerability in version 2.3.2 of TinyWebGallery. It is relatively hard to trigger as it requires a double click by an admin (which can be achieved via clickjacking and social engineering), but once triggered, leads to code execution because of the provided file edit functionality.

The vulnerability is unlikely to be exploited in the wild because it requires quite a bit of social engineering; I’m publishing it because it is a nice example of how different small vulnerabilities can come together and lead to arbitrary PHP code execution.

SQL Injection & Reflected XSS in Visual Form Builder 2.8.2 (WordPress Plugin)

  • Vulnerability: SQL Injection & Reflected XSS
  • Affected Software: Visual Form Builder (WordPress Plugin)
  • Affected Version: 2.8.2 (probably also prior versions)
  • Patched Version: 2.8.3
  • Risk: High
  • Vendor Contacted: 2015-05-06
  • Vendor Fix: 2015-05-09
  • Public Disclosure: 2015-05-15

The current version (v2.8.2) of the WordPress plugin Visual Form Builder is vulnerable to reflected XSS as well as SQL injection attacks.

The damage each attack on it’s own can achieve is limited. The SQL injection can lead to data leaks, and possibly priviledge escalation or code execution, but an admin login is required. And as WordPress secures it’s relevant cookies, it’s not possible to gain a login via XSS, it is only possibly to eg display the login page and hope that the admin enters their password or inject a JavaScript keylogger; both mean that an admin doesn’t just have to visit a website, but also has to additionally enter their password somewhere. With XSS, it is also possibly to bypass CSRF, so an attacker could eg change PHP scripts if DISALLOW_FILE_EDIT is false, which hopefully is not the case.

Combined, these attacks get interesting: Via XSS it is possible to let the admin execute the SQL injection, and then send the results to the attacker. The admin only has to click on a link once, and does not have to perform any further actions.

Arbitrary File Override & Reflected XSS in My Calendar 2.3.29 (WordPress Plugin)

  • Vulnerability: Arbitrary File Override & Reflected XSS
  • Affected Software: My Calendar (WordPress Plugin)
  • Affected Version: 2.3.29 (probably also prior versions)
  • Patched Version: 2.3.30
  • Risk: Medium
  • Vendor Contacted: 2015-05-10
  • Vendor Fix: 2015-05-11
  • Public Disclosure: 2015-05-15

There is an arbitrary file override vulnerability as well as a reflected XSS vulnerability in the current version (2.3.29) of the My Calendar plugin.

Multiple Reflected XSS in Anti-Malware and Brute-Force Security by ELI (WordPress Plugin)

  • Vulnerability: Reflected XSS
  • Affected Software: Anti-Malware and Brute-Force Security by ELI (WordPress Plugin)
  • Affected Version: 4.15.17 (probably also prior versions)
  • Patched Version: 4.15.20
  • Risk: Medium
  • Vendor Contacted: 2015-05-06
  • Vendor Fix: 2015-05-09
  • Public Disclosure: 2015-05-15

There are multiple reflected XSS vulnerabilities in the current version (4.15.17) of the Anti-Malware and Brute-Force Security by ELI WordPress plugin.

Reflected XSS can lead to execution of arbitrary JavaScript in the victims browser, which can lead to key logging, phishing, stealing of cookies, changing of data, and so on. The fact that these are present in an admin area does not weaken the attack, as the most interesting victim will be an admin.