hi,
I read a security news here: http://www.frsirt.com/english/advisories/2007/0027
about a CMS Made Simple "searchinput" Parameter Handling Cross Site Scripting Vulnerability in CMS Made Simple version 1.0.2
I didn't find any information about that problem in forum...? how to avoid it?
vulnerability in cmsms 1.0.2
Re: vulnerability in cmsms 1.0.2
It was mentioned at bugtraq: http://www.securityfocus.com/archive/1/ ... 0/threaded
And fixed in SVN: http://viewsvn.cmsmadesimple.org/viewsv ... h&view=rev
Regards,
D
And fixed in SVN: http://viewsvn.cmsmadesimple.org/viewsv ... h&view=rev
Regards,
D
Re: vulnerability in cmsms 1.0.2
1.0.3 will be released this week (if it tests well) to address this problem.
Re: vulnerability in cmsms 1.0.2
The full report is at http://seclists.org/bugtraq/2007/Jan/0137.html, it includes instructions on how to fix it - which might be a good idea until the next version comes out.
It's not just a search vulnerability, it also lets people into your admin...so patch
It's not just a search vulnerability, it also lets people into your admin...so patch
Re: vulnerability in cmsms 1.0.2
Yes, I agree. You should patch these if you get a chance. Though... they're not critical flaws. They're non-permanent XSS vulnerabilities. They can't harm the system, let anyone into your admin or do anything else. That's why I haven't rushed 1.0.3 out the door. If they were any more serious, I would have expedited a patch as soon as I found out about it.
Re: vulnerability in cmsms 1.0.2
so these aren't critical to fix? i have a 1.02 site that kinda blew up on me when i tried to upgrade it to 1.04. had to reinstall 1.02 and restore a db backup from that version... i don't really want to try that again for a bit unless i absolutely have to.Ted wrote: Yes, I agree. You should patch these if you get a chance. Though... they're not critical flaws. They're non-permanent XSS vulnerabilities. They can't harm the system, let anyone into your admin or do anything else. That's why I haven't rushed 1.0.3 out the door. If they were any more serious, I would have expedited a patch as soon as I found out about it.
eternity (n); 1. infinite time, 2. a seemingly long or endless time, 3. the length of time it takes a frozen pizza to cook when you're starving.
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info
Re: vulnerability in cmsms 1.0.2
did that.. thx.
eternity (n); 1. infinite time, 2. a seemingly long or endless time, 3. the length of time it takes a frozen pizza to cook when you're starving.
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info