Hi,
CMS made simple has several security problems - XSS in admin console, weak
CSRF protection and a possible PHP object insertion via unserialize.
These vulnerabilities were considered unimportant by the CMS Made Simple
developers. Their reasoning was that they had to be exploited by a logged
in administrator user who is a trusted user anyway. When I explained to
them that with XSS all you need to do is send a malicious link to the
administrator, they responded back saying that they are confident in their
CSRF protection. I then sent them an analysis of their CSRF protection (see
the full advisory below), which I found to be quite weak. Finally they
commited to implement a half-assed mitigation for the CSRF token weakness
but said they will not fix the other issues.
Timeline:
- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com.
No reply.
- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum
asking to contact me back. A few hours later I was contacted by calguy and
sent him a more complete version of this advisory with recommendations.
- 09.12.2013: calguy responds saying these will not be fixed as you have to
be an admin user anyway to exploit them.
- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS
Made Simple project manager, responds with an official note saying they
will double the CSRF token length in a future release but will not fix the
rest of the issues.
- 14.12.2013: Handed over to CERT asking for help to try to reason with the
CMS Made Simple developers.
- 28.02.2014: Public disclosure by CERT
You can see the full report in my repo at
https://github.com/pedrib/PoC/blob/master/cmsmadesimple-1.11.9.txt
And the CERT report at http://www.kb.cert.org/vuls/id/526062
There are plenty of CMS out there that have a decent attitude towards
security. Steer well clear of this one.
Regards
Pedro Ribeiro
Agile Information Security
CMS made simple has several security problems - XSS in admin console, weak
CSRF protection and a possible PHP object insertion via unserialize.
These vulnerabilities were considered unimportant by the CMS Made Simple
developers. Their reasoning was that they had to be exploited by a logged
in administrator user who is a trusted user anyway. When I explained to
them that with XSS all you need to do is send a malicious link to the
administrator, they responded back saying that they are confident in their
CSRF protection. I then sent them an analysis of their CSRF protection (see
the full advisory below), which I found to be quite weak. Finally they
commited to implement a half-assed mitigation for the CSRF token weakness
but said they will not fix the other issues.
Timeline:
- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com.
No reply.
- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum
asking to contact me back. A few hours later I was contacted by calguy and
sent him a more complete version of this advisory with recommendations.
- 09.12.2013: calguy responds saying these will not be fixed as you have to
be an admin user anyway to exploit them.
- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS
Made Simple project manager, responds with an official note saying they
will double the CSRF token length in a future release but will not fix the
rest of the issues.
- 14.12.2013: Handed over to CERT asking for help to try to reason with the
CMS Made Simple developers.
- 28.02.2014: Public disclosure by CERT
You can see the full report in my repo at
https://github.com/pedrib/PoC/blob/master/cmsmadesimple-1.11.9.txt
And the CERT report at http://www.kb.cert.org/vuls/id/526062
There are plenty of CMS out there that have a decent attitude towards
security. Steer well clear of this one.
Regards
Pedro Ribeiro
Agile Information Security