Bugtraq report of security issues in 1.6.6

Peripatetic · Post by **Peripatetic** » Sat Feb 13, 2010 4:30 pm

Just came across this on Bugtraq:

cmsmadesimple Multiple Security Issues : XSS+ LFI
http://seclists.org/bugtraq/2010/Feb/133

I tried the proof of concept code on my own non-public 1.6.6 installation but couldn't get it to work. Maybe it only works on a default installation or it's configuration dependent. I didn't want to file a bug until it can be reproduced. Can anyone with more in-depth CMSMS knowledge check this out and see if these are real vulnerabilities?

calguy1000 · Post by **calguy1000** » Sat Feb 13, 2010 5:13 pm

It's been dealt with, we're waiting for confirmation from the original hacker that the bug is fixed, and then 1.6.7 will be released,.

Peripatetic · Post by **Peripatetic** » Sun Feb 14, 2010 8:59 pm

Great. Nice to hear it's been so quickly dealt with.

Wishbone · Post by **Wishbone** » Mon Feb 15, 2010 4:38 am

What was exploiting this vulnerability supposed to be able to do?

tyman00 · Post by **tyman00** » Mon Feb 15, 2010 3:42 pm

We found where the concern came from, but we honestly could not replicate the issue. However, we made a change to be proactive. Once we hear back the confirmation a 1.6.7 will go out.

CMS Made Simple Forums

Bugtraq report of security issues in 1.6.6

Bugtraq report of security issues in 1.6.6

Re: Bugtraq report of security issues in 1.6.6

Re: Bugtraq report of security issues in 1.6.6

Re: Bugtraq report of security issues in 1.6.6

Re: Bugtraq report of security issues in 1.6.6