CMS Made Simple Forums

http://secwatch.org/advisories/1019900/

Bugtraq ID:  BID#27074



Description:

An input validation vulnerability in the TinyMCE module for CMS Made Simple has been reported, which can be exploited by remote users to conduct SQL injection attacks.

User-supplied input passed to the "templateid" parameter in the modules/TinyMCE/content_css.php script is not correctly sanitised before being used in a SQL query.  This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.



Affected:

CMS Made Simple version 1.2.2. Other versions may also be affected.



Proof of Concept:

SQL Injection:
http://[target]/modules/TinyMCE/content_css.php?templateid=[SQL]



Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

EgiX

wendor supplied hotfix available now


http://cmsmadesimple.org/pastebin/1440


or uninstall tinymce and remove its files

Hello,

thank you for reporting and thanks devs for the hot fix.

johnbmcdonald wrote: Filter malicious characters and character sequences via (...) URL filtering capabilities.

...as described in CMSms documentation about URL filtering :
http://wiki.cmsmadesimple.org/index.php ... l_Settings

Pierre M.

Your welcome. I am glad to help where I can.

BTW: I juist ran across another page that was modified.

http://www.cmsmadesimple.org/features

John

That is a pitty, some more work to do:
the development\roadmap has been changed as well.

johnbmcdonald wrote: BTW: I juist ran across another page that was modified.
http://www.cmsmadesimple.org/features

Yes, I have seen.
And I have tried http://www.cmsmadesimple.org/features?s ... d.site.tld
and it is fixed in between (but not filtered). Funny

I think the template itself was changed not individual pages...

Hello,

I just came across cmsms today and downloaded 1.2.3 (after trying many others)

Then I came across this thread.

Can anyone tell me if 1.2.3 is now clear as far as the SQL injection, or do I still need to disable or remove tiny mce?

I really feel for the dev team, because I am so impressed by the package when compared with drupal/joomla.

Thank you for any advice.

1.2.3 is the 'fixed version'.  it takes care of the afore mentiond SQL injection vulnerability. 

Go ahead, install, play around.

Thanks very much for the quick reply. Much appreciated.

So is it ok to enable/use the tinymce editor with 1.2.3
?

Thanks again.

Yes, 1.2.3 fixed the vulnerability in Tiny.

Thank you very much for clarifying that.

Looking forward to becoming familiar with cmsms, maybe asking a few questions, and then hopefully giving a bit back to the community.

Cheers.