next »

[johnbmcdonald]

http://secwatch.org/advisories/1019900/

Bugtraq ID:     BID#27074

 

Description:

An input validation vulnerability in the TinyMCE module for CMS Made Simple has been reported, which can be exploited by remote users to conduct SQL injection attacks.

User-supplied input passed to the "templateid" parameter in the modules/TinyMCE/content_css.php script is not correctly sanitised before being used in a SQL query.  This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.

 

Affected:

CMS Made Simple version 1.2.2. Other versions may also be affected.

 

Proof of Concept:

SQL Injection:
http://[target]/modules/TinyMCE/content_css.php?templateid=[SQL]

 

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

EgiX

 

[tsw]

wendor supplied hotfix available now


 http://cmsmadesimple.org/pastebin/1440


or uninstall tinymce and remove its files

[Pierre M.]

Hello,

thank you for reporting and thanks devs for the hot fix.

Filter malicious characters and character sequences via (...) URL filtering capabilities.

...as described in CMSms documentation about URL filtering :
http://wiki.cmsmadesimple.org/index.php/User_Handbook/Installation/Optional_Settings

Pierre M.

[johnbmcdonald]

Your welcome. I am glad to help where I can.

BTW: I juist ran across another page that was modified.

http://www.cmsmadesimple.org/features

John

[Duketown]

That is a pitty, some more work to do:
the development\roadmap has been changed as well.
 

[Pierre M.]

BTW: I juist ran across another page that was modified.
http://www.cmsmadesimple.org/features

Yes, I have seen.
And I have tried http://www.cmsmadesimple.org/features?sometextthanSHOULDbefiltered=junk/http://bad.site.tld
and it is fixed in between (but not filtered). Funny

[hprofet]

I think the template itself was changed not individual pages...

[LC350]

Hello,

I just came across cmsms today and downloaded 1.2.3 (after trying many others)

Then I came across this thread.

Can anyone tell me if 1.2.3 is now clear as far as the SQL injection, or do I still need to disable or remove tiny mce?

I really feel for the dev team, because I am so impressed by the package when compared with drupal/joomla.

Thank you for any advice.

[calguy1000]

1.2.3 is the 'fixed version'.  it takes care of the afore mentiond SQL injection vulnerability. 

Go ahead, install, play around.

[LC350]

Thanks very much for the quick reply. Much appreciated.

So is it ok to enable/use the tinymce editor with 1.2.3
?

Thanks again.

[calguy1000]

Yes, 1.2.3 fixed the vulnerability in Tiny.

[LC350]

Thank you very much for clarifying that.

Looking forward to becoming familiar with cmsms, maybe asking a few questions, and then hopefully giving a bit back to the community.

Cheers.