GetSimpleCMS 3.3.5: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc

  • Vulnerability: XSS, Code Execution, DOS, Password Leak, Weak Authentication, Misc
  • Affected Software: GetSimple CMS
  • Affected Version: 3.3.5 (probably also prior versions)
  • Partially Patched Version: 3.3.6
  • Risk: Medium-High
  • Vendor Contacted: 2015-06-14
  • Vendor Partial Fix: 2015-07-14
  • Public Disclosure: 2015-07-15

GetSimple CMS is a content management system written in PHP. It does not use a database, but xml files instead.

There are various vulnerabilities in version 3.3.5, most of which are fixed in version 3.3.6.

For version 3.3.6 it is important that the htaccess file of GetSimple CMS can be read by the server, as otherwise passwords and other sensitive information will be disclosed (the functionality of the website itself is not affected by an unread htaccess file, so it might go unnoticed).

Continue

WordPress File Upload Plugin 2.7.6: Code Execution, CSRF, XSS, Information Disclosure

  • Vulnerability: Code Execution, CSRF, XSS, Information Disclosure
  • Affected Software: WordPress File Upload (WordPress Plugin)
  • Affected Version: 2.7.6 (probably also prior versions)
  • Patched Version: 3.0.0
  • Risk: High
  • Vendor Contacted: 2015-06-30
  • Vendor Fix: 2015-07-02
  • Public Disclosure: 2015-07-02
Continue

Beehive Forum 1.4.5: Multiple XSS and CSRF

  • Vulnerability: Multiple XSS and CSRF
  • Affected Software: Beehive Forum
  • Affected Version: 1.4.5 (probably also prior versions)
  • Patched Version: 1.4.6
  • Risk: Medium
  • Vendor Contacted: 2015-05-18
  • Vendor Fix: 2015-05-30
  • Public Disclosure: 2015-06-05

There are multiple XSS and CSRF vulnerabilities in Beehive Forum 1.4.5. Beehive Forum is open source forum software based on PHP.

Continue

Bypass CSRF Protection via XSS

In this post I will show why anti-CSRF tokens are useless as soon as there is an XSS vulnerability in the target site. This post contains all the example scripts necessary to reproduce bypassing CSRF protection via XSS vulnerabilities. The code is meant for educational purposes only.

Basic Terms: CSRF and XSS

CSRF means Cross-Site Request Forgery. The idea is to get a user that is logged in at a website to perform actions on that site they do not actually want to perform. This can be achieved by getting the victim to visit a website (possibly – but not necessarily – owned by the attacker) that contains specially crafted HTML code created by the attacker. CSRF is possible with POST as well as GET requests (although as per REST, GET requests shouldn’t actually change data on the server).

Anti-CSRF token is the recommended way to prevent CSRF. A one time token is stored in the session as well as the form when creating it, and when the form is submitted, the submitted token is compared to the session token. If they match, there is no CSRF attack.

XSS means cross-site scripting, and it allows an attacker to execute arbitrary JavaScript in the victims browser in the context of the vulnerable website.

Continue