CMS Made Simple Forums

Posted: **Thu Jan 04, 2007 11:28 am**

hi,

I read a security news here: http://www.frsirt.com/english/advisories/2007/0027
about a CMS Made Simple "searchinput" Parameter Handling Cross Site Scripting Vulnerability in CMS Made Simple version 1.0.2

I didn't find any information about that problem in forum...? how to avoid it?

Posted: **Thu Jan 04, 2007 2:00 pm**

It was mentioned at bugtraq: http://www.securityfocus.com/archive/1/ ... 0/threaded
And fixed in SVN: http://viewsvn.cmsmadesimple.org/viewsv ... h&view=rev

Regards,
D

Posted: **Thu Jan 04, 2007 2:33 pm**

1.0.3 will be released this week (if it tests well) to address this problem.

Posted: **Thu Jan 11, 2007 11:58 pm**

The full report is at http://seclists.org/bugtraq/2007/Jan/0137.html, it includes instructions on how to fix it - which might be a good idea until the next version comes out.

It's not just a search vulnerability, it also lets people into your admin...so patch

Posted: **Fri Jan 12, 2007 2:12 am**

Yes, I agree. You should patch these if you get a chance. Though... they're not critical flaws. They're non-permanent XSS vulnerabilities. They can't harm the system, let anyone into your admin or do anything else. That's why I haven't rushed 1.0.3 out the door. If they were any more serious, I would have expedited a patch as soon as I found out about it.

Posted: **Fri Feb 23, 2007 11:38 am**

Ted wrote: Yes, I agree. You should patch these if you get a chance. Though... they're not critical flaws. They're non-permanent XSS vulnerabilities. They can't harm the system, let anyone into your admin or do anything else. That's why I haven't rushed 1.0.3 out the door. If they were any more serious, I would have expedited a patch as soon as I found out about it.

so these aren't critical to fix? i have a 1.02 site that kinda blew up on me when i tried to upgrade it to 1.04. had to reinstall 1.02 and restore a db backup from that version... i don't really want to try that again for a bit unless i absolutely have to.

Posted: **Fri Feb 23, 2007 9:51 pm**

They're not "critical", as Ted explained. I would advice to patch them manually though (not too much work, add some htmlentities calls, see the link in the post by szevvy.

Regards,
D

Posted: **Sat Feb 24, 2007 11:13 am**

Dee wrote: They're not "critical", as Ted explained. I would advice to patch them manually though (not too much work, add some htmlentities calls, see the link in the post by szevvy.

did that.. thx.

CMS Made Simple Forums

vulnerability in cmsms 1.0.2

vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2

Re: vulnerability in cmsms 1.0.2