Web Server Cache Poisoning (CMS Made Simple) v1.x
Description
CMS Made Simple version 1.x contains a web cache poisoning vulnerability that allows remote unauthenticated attackers to inject malicious content into cached pages when Smarty Cache is enabled. By manipulating the Host HTTP header in requests, attackers can poison the server-side cache with attacker-controlled content. This vulnerability is exploitable when the web server hosts multiple domains and does not use the Host header for routing decisions, allowing arbitrary Host values to be processed and cached.
Remediation
Apply one of the following remediation steps:
1. Upgrade CMS Made Simple: Update to version 1.12.2 or later, which addresses this vulnerability.
2. Disable Smarty Caching (temporary mitigation): Log into the CMS Made Simple admin panel, navigate to the caching configuration settings, and disable Smarty caching until the upgrade can be performed.
3. Web Server Configuration: Configure your web server to validate and restrict Host header values to only expected domain names. For Apache, use virtual host configurations with ServerName and ServerAlias directives. For Nginx, use server_name directives to explicitly define allowed hosts and reject requests with invalid Host headers.
Verify the fix by testing that requests with arbitrary Host header values are either rejected or do not affect cached content served to other users.