Hello there.
https://twitter.com/cvebot/status/410119215170195456
I just found a tweet on that shows a possible vulnerability in cmsms 1.11.9.
I'm posting it here so, you can check it out and respond if necessary
[solved] Cross-site scripting (XSS) vulnerability
-
brutusmaximus
- Forum Members
- Posts: 23
- Joined: Tue Apr 02, 2013 1:15 pm
- Location: 's-Hertogenbosch
[solved] Cross-site scripting (XSS) vulnerability
Last edited by brutusmaximus on Tue Dec 10, 2013 7:37 pm, edited 1 time in total.
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Cross-site scripting (XSS) vulnerability
FYI.
We do not consider these issues (and there are more than one) to be serious. In fact in our opinion they are very minor bugs.
Essentially, the issue is/issues are that a logged in, authenticated administrator can inject some javascript into various fields (such as the handler name of an event handler, or the stylesheet name, or various other fields that can result in an XSS attack emanating from your website and going to other authorized editors.
The reasons we consider this stuff to be very minor issues are:
a: The user has to be a logged in, authenticated and trusted administrator with
appropriate permission (the issues reported so far are not privilege escalation, or methods of bypassing security).
b: The user has to intentionally attack the site with a script that simulates the login, session and cookie process to inject crap into various fields of an item that he is allowed to edit. To our knowledge this can't be accidental, or easy behavior.
c: By the nature of CMSMS, adding HTML and javascript to the website is one of the lower level permissions. This gives editors the capability to potentially insert public XSS attacks directly in the content of a website. It is a minor problem if trusted content editors or administrators can attack the very website they have permission to edit.
It is kind of like this analogy: "If you give the keys of your car to somebody with permission to drive it to the store....they could also drive it anywhere".
If you can't trust your content editors or administrators to not attack your site, then don't give them access at all.
Numerous people have reported these various issues to the development team before. We have reviewed them, and came to the conclusion that for the reasons above we would not make interrupting our plans, fixing these issues, testing, and releasing the fixes a priority. We consider these issues to be minor 'bugs' and we have bigger fish to fry.
To pre-emptively answer the "But they should be fixed" statement that somebody will certainly make. We state finally: We have analyzed the issues and have determined that unless we are missing something obvious, we consider the issues to be very minor and that the stuff we are working on for 2.0 or almost any other bug is more important. Given a thousand code monkeys, we probably still wouldn't fix these issues until such time as we had to revisit that code for another reason anyways.
We do not consider these issues (and there are more than one) to be serious. In fact in our opinion they are very minor bugs.
Essentially, the issue is/issues are that a logged in, authenticated administrator can inject some javascript into various fields (such as the handler name of an event handler, or the stylesheet name, or various other fields that can result in an XSS attack emanating from your website and going to other authorized editors.
The reasons we consider this stuff to be very minor issues are:
a: The user has to be a logged in, authenticated and trusted administrator with
appropriate permission (the issues reported so far are not privilege escalation, or methods of bypassing security).
b: The user has to intentionally attack the site with a script that simulates the login, session and cookie process to inject crap into various fields of an item that he is allowed to edit. To our knowledge this can't be accidental, or easy behavior.
c: By the nature of CMSMS, adding HTML and javascript to the website is one of the lower level permissions. This gives editors the capability to potentially insert public XSS attacks directly in the content of a website. It is a minor problem if trusted content editors or administrators can attack the very website they have permission to edit.
It is kind of like this analogy: "If you give the keys of your car to somebody with permission to drive it to the store....they could also drive it anywhere".
If you can't trust your content editors or administrators to not attack your site, then don't give them access at all.
Numerous people have reported these various issues to the development team before. We have reviewed them, and came to the conclusion that for the reasons above we would not make interrupting our plans, fixing these issues, testing, and releasing the fixes a priority. We consider these issues to be minor 'bugs' and we have bigger fish to fry.
To pre-emptively answer the "But they should be fixed" statement that somebody will certainly make. We state finally: We have analyzed the issues and have determined that unless we are missing something obvious, we consider the issues to be very minor and that the stuff we are working on for 2.0 or almost any other bug is more important. Given a thousand code monkeys, we probably still wouldn't fix these issues until such time as we had to revisit that code for another reason anyways.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
brutusmaximus
- Forum Members
- Posts: 23
- Joined: Tue Apr 02, 2013 1:15 pm
- Location: 's-Hertogenbosch
Re: Cross-site scripting (XSS) vulnerability
Wow thanks for the given statement and quick reply.
No further questions. Good luck with the development of version 2.0
No further questions. Good luck with the development of version 2.0
