Web Server Cache Poisoning (CMS Made Simple) v2.x
Description
CMS Made Simple version 2.x contains a web cache poisoning vulnerability that allows remote unauthenticated attackers to inject malicious content into cached pages when Smarty Cache is enabled. Attackers exploit this by manipulating the Host HTTP header in their requests, which is stored unsanitized in the $_SERVER variable and subsequently cached. This vulnerability is exploitable when the web server hosts multiple domains and does not use the Host header for routing decisions, allowing arbitrary host values to be accepted and cached.
Remediation
Apply one of the following remediation steps:
1. Update CMS Made Simple: Upgrade to version 2.1.3 or later, which addresses this vulnerability.
2. Disable Smarty Caching (temporary mitigation): If immediate patching is not possible, disable Smarty caching through the CMS Made Simple admin panel under Extensions > Smarty > Settings, and set caching to 'Off'.
3. Web Server Configuration: Configure your web server to validate and restrict Host header values to only expected domain names. For Apache, use virtual host configurations with ServerName and ServerAlias directives. For Nginx, explicitly define server_name values and reject requests with unrecognized hosts.
4. Verification: After applying fixes, test by sending requests with modified Host headers to ensure they are either rejected or do not affect cached content.