Several vulnerabilities in CMS Made Simple 1.1.3.1

2007.10.14
Risk: High
Local: No
Remote: Yes
CWE: N/A

Hi, There are several security bugs in CMS Made Simple 1.1.3.1 : (I am not going to release dangerous and exploitable info here) 1) There is a highly dangerous PHP code execution bug in the script . 2) A registered user can access unauthorized pages . For example he can upload files to the server, or can make users by posting data to /admin/adduser.php directly ; Also he can access to admin logs page (/admin/adminlog.php?page=1) . 3) There are 2 XSS bugs in the script . 4) There are 13 full path disclosure bugs . Direct access to several files can expose full installation path . The new version (1.1.4.1) has been released : http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141 / - Omid


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top