CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#9269] stored XSS on admin page

avatar
Created By: blokaas (blokaas)
Date Submitted: Sun May 19 11:41:02 -0400 2013

Assigned To: Tapio Löytty (Stikki)
Version: None
CMSMS Version: None
Severity: Critical
Resolution: Fixed
State: Closed
Summary:
stored XSS on admin page
Detailed Description:
Every failed admin login attempt it logged, with the clients ip. The
get_real_ip() function in lib/classes/class.cms_utils.php first checks if the
x-forwarded-for header is present and uses this as the client ip, unsanitized.
The x-forwarded-for header is completely controlled by the client, so making a
false login with the header
X-Forwarded-For:31.3.3.7"><script>alert(/xss/);</script> 
will insert this payload into the admin log. Which is eventually displayed on
adminlog.php when an admin is logged in.

Proof of concept:
insert payload:
wget http://path/to/cmsmadesimple/admin/login.php --header='X-Forwarded-For:
localhost"><script>alert(/xss/);</script>'
--post-data="username=random&password=NOTREALLYAPASSWORDLOL&loginsubmit=Submit"

visit adminlog.php to see the payload inserted into the page unsanitized.


Note that the database field containing the payload has a limited size, this
doesnt stop any exploitation though.


History

Comments
avatar 
Date: 2013-05-19 18:04
Posted By: Tapio Löytty (Stikki)

Fixed in SVN.

Thanks for reporting.
Updates

Updated: 2013-09-18 03:18
state: Open => Closed

Updated: 2013-05-19 18:04
resolution_id: 5 => 7
assigned_to_id: 100 => 11306

Updated: 2013-05-19 11:44
description: Every failed admin login attempt it logged, with the clients ip. The get_real_ip() function in lib/classes/class.cms_utils.php first checks if the x-forwarded-for header is present and uses this as the client ip, unsanitized. The x-forwarded-for header is => Every failed admin login attempt it logged, with the clients ip. The get_real_ip() function in lib/classes/class.cms_utils.php first checks if the x-forwarded-for header is present and uses this as the client ip, unsanitized. The x-forwarded-for header is

Updated: 2013-05-19 11:44
description: Every failed admin login attempt it logged, with the clients ip. The get_real_ip() function in lib/classes/class.cms_utils.php first checks if the x-forwarded-for header is present and uses this as the client ip, unsanitized. The x-forwarded-for header is => Every failed admin login attempt it logged, with the clients ip. The get_real_ip() function in lib/classes/class.cms_utils.php first checks if the x-forwarded-for header is present and uses this as the client ip, unsanitized. The x-forwarded-for header is
resolution_id: => 5