Edgescan Researcher Discovers Multiple Vulnerabilities in CMS Made Simple and Lime Survey

Edgescan Senior Security Consultant Guram Javakhishvili is making an impact in the cybersecurity field as a researcher aka hacker, discovering vulnerabilities across a number of popular applications. Some of which are not yet publicly available, as soon as the vendor implements the fix, those issues will also be added to this list and the blog post will be updated accordingly.

This blog post will address vulnerabilities found in CMS Made Simple and Lime Survey which are already been made available publicly. These vulnerabilities were discovered while validating alerts as part of Edgescan’s human intelligence verification. These discoveries are shared with clients so they can evaluate and mitigate the risks. The vendor is also notified so they can resolve the issues and improve the overall security of the application.

CMS Made Simple 2.2.13

CMS Made Simple is a Content Management System that was first released in July 2004 as an open source General Public License (GPL) package. It is currently used in both commercial and personal projects. It’s built using PHP and the Smarty Engine, which keeps content, functionality, and templates separated.

Guram discovered 5 vulnerabilities in CMS Made Simple 2.2.13. Three are resolved in the latest update 2.2.14 and 2 are outstanding.

1. Reflected Cross-Site Scripting #12224 – CMS Made Simple 2.2.13

Issue: Insufficient validation of user input on the authenticated part of the CMS MadeSimple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameter: m1_newdirname
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12224

2. Reflected Cross-Site Scripting #12225 – CMS Made Simple 2.2.13

Issue: Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to Reflected cross site scripting (XSS) vulnerability. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameter: m1_name
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12225

3. Stored Cross-Site Scripting #12226 – CMS Made Simple 2.2.13

Issue: Insufficient validation of user input on the authenticated part of the CMS Made Simple web application exposes the application to persistent cross site scripting (XSS) vulnerabilities. These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the content being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: metadata, pagedata
Severity: Critical
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12226

4. Stored Cross-Site Scripting #12227 – CMS Made Simple 2.2.13

Issue: These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the User/User’s Preferences being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: date_format_string
Severity: Minor
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12227

5. Stored Cross-Site Scripting #12228 – CMS Made Simple 2.2.13

Issue: These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server. When the News being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
List of vulnerable parameters: m1_title
Severity: Critical
Resolution: Fixed in 2.2.14
Detailed description of this bug: http://dev.cmsmadesimple.org/bug/view/12228

LimeSurvey 3.21.1

LimeSurvey is a free and open source on-line statistical survey web app written in PHP. As a web server-based software it enables users using a web interface to develop and publish on-line surveys, collect responses, create statistics, and export the resulting data to other applications.
Guram discovered three vulnerabilities in LimeSurvey 3.21.1 which have been fixed in the latest version 3.21.2.

1. Cross Site Scripting Stored #15680 – LimeSurvey 3.21.1

Issue: LimeSurvey latest version 3.21.1 & LimeSurvey development version 4.0.0 suffer from reflective and persistent (Stored) cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: firstname, lastname
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15680

2. Cross Site Scripting Stored #15681- LimeSurvey 3.21.1

Issue: Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: Quota%5Bname%5D
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15681

3. Cross Site Scripting #15672 – LimeSurvey 3.21.1

Issue: Insufficient validation of user input on the authenticated part of the Limesurvey application exposes the application to persistent cross site scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be accepted by the application and then embedded back in the HTML response of the page returned by the web server.
List of vulnerable parameters: ParticipantAttributeNamesDropdown
Resolution: Fixed in 3.21.2
Detailed description of this bug: https://bugs.limesurvey.org/view.php?id=15672

Steps you should take to secure your CMS applications from hacking

• Crucially important to keep your installed scripts and CMS platforms up to date. Create a regular schedule to update or patch your CMS, and all installed plugins and themes. Ensure all components are up-to-date.
• At a minimum weekly update is equally important. Regularly backup the CMS and its underlying database.
• Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used.
• Avoid use of default usernames (e.g., ‘admin’) enforce strong password policy for your CMS’s admin area and server to protect them from the brute force attacks.
• Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional layer of protection.
• Use another layer of protection (WAF) Web Application Firewall, which automatically protects against all or most of the vulnerabilities.
• Install security plugins to actively prevent hacking attempts. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. These plugins notify the weaknesses inherent in each platform and halt the hacking attempts that could threaten your application. WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application.
• More training and resources available from Edgescan blog post, ‘Secure Application Development Training Material’.

“Cross Site Scripting (XSS) was discovered in 1999 and is massively prevalent across web applications today. Cross site scripting flaws are the most prevalent flaw in web applications today. Over 12% of vulnerabilities across the fullstack were attributed to XSS in the Edgescan 2020 Vulnerability Stats Report.
At Edgescan, we’re proud of the part we play in identifying vulnerabilities in web apps, alerting vendors and supporting them in making their products as secure as possible. “Eoin Keary, CEO, Edgescan.

Subscribe to the Edgescan blog to receive updates.

Guram Javakhishvili

Senior Information Security Consultant

Edgescan