FYI - Found possible new CMSMS Vulnerability

General project discussion. NOT for help questions.
Post Reply
User avatar
johnbmcdonald
Forum Members
Forum Members
Posts: 60
Joined: Mon May 14, 2007 8:01 pm
Location: Edmond, OK, USA

FYI - Found possible new CMSMS Vulnerability

Post by johnbmcdonald »

http://secwatch.org/advisories/1019900/

Bugtraq ID:  BID#27074



Description:

An input validation vulnerability in the TinyMCE module for CMS Made Simple has been reported, which can be exploited by remote users to conduct SQL injection attacks.

User-supplied input passed to the "templateid" parameter in the modules/TinyMCE/content_css.php script is not correctly sanitised before being used in a SQL query.  This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.



Affected:

CMS Made Simple version 1.2.2. Other versions may also be affected.



Proof of Concept:

SQL Injection:
http://[target]/modules/TinyMCE/content_css.php?templateid=[SQL]



Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

EgiX
tsw
Power Poster
Power Poster
Posts: 1408
Joined: Tue Dec 13, 2005 10:50 pm
Location: Finland

Re: FYI - Found possible new CMSMS Vulnerability

Post by tsw »

wendor supplied hotfix available now


http://cmsmadesimple.org/pastebin/1440


or uninstall tinymce and remove its files
Pierre M.

Re: FYI - Found possible new CMSMS Vulnerability

Post by Pierre M. »

Hello,

thank you for reporting and thanks devs for the hot fix.
johnbmcdonald wrote: Filter malicious characters and character sequences via (...) URL filtering capabilities.
...as described in CMSms documentation about URL filtering :
http://wiki.cmsmadesimple.org/index.php ... l_Settings

Pierre M.
User avatar
johnbmcdonald
Forum Members
Forum Members
Posts: 60
Joined: Mon May 14, 2007 8:01 pm
Location: Edmond, OK, USA

Re: FYI - Found possible new CMSMS Vulnerability

Post by johnbmcdonald »

Your welcome. I am glad to help where I can.

BTW: I juist ran across another page that was modified.

http://www.cmsmadesimple.org/features

John
Duketown

Re: FYI - Found possible new CMSMS Vulnerability

Post by Duketown »

That is a pitty, some more work to do:
the development\roadmap has been changed as well.
:-[
Pierre M.

Re: FYI - Found possible new CMSMS Vulnerability

Post by Pierre M. »

johnbmcdonald wrote: BTW: I juist ran across another page that was modified.
http://www.cmsmadesimple.org/features
Yes, I have seen.
And I have tried http://www.cmsmadesimple.org/features?s ... d.site.tld
and it is fixed in between (but not filtered). Funny
hprofet
New Member
New Member
Posts: 3
Joined: Wed Jan 02, 2008 5:38 pm

Re: FYI - Found possible new CMSMS Vulnerability

Post by hprofet »

I think the template itself was changed not individual pages...
LC350
New Member
New Member
Posts: 7
Joined: Fri Jan 04, 2008 8:33 pm

Re: FYI - Found possible new CMSMS Vulnerability

Post by LC350 »

Hello,

I just came across cmsms today and downloaded 1.2.3 (after trying many others)

Then I came across this thread.

Can anyone tell me if 1.2.3 is now clear as far as the SQL injection, or do I still need to disable or remove tiny mce?

I really feel for the dev team, because I am so impressed by the package when compared with drupal/joomla.

Thank you for any advice.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: FYI - Found possible new CMSMS Vulnerability

Post by calguy1000 »

1.2.3 is the 'fixed version'.  it takes care of the afore mentiond SQL injection vulnerability. 

Go ahead, install, play around.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
LC350
New Member
New Member
Posts: 7
Joined: Fri Jan 04, 2008 8:33 pm

Re: FYI - Found possible new CMSMS Vulnerability

Post by LC350 »

Thanks very much for the quick reply. Much appreciated.

So is it ok to enable/use the tinymce editor with 1.2.3
?

Thanks again.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: FYI - Found possible new CMSMS Vulnerability

Post by calguy1000 »

Yes, 1.2.3 fixed the vulnerability in Tiny.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
LC350
New Member
New Member
Posts: 7
Joined: Fri Jan 04, 2008 8:33 pm

Re: FYI - Found possible new CMSMS Vulnerability

Post by LC350 »

Thank you very much for clarifying that.

Looking forward to becoming familiar with cmsms, maybe asking a few questions, and then hopefully giving a bit back to the community.

Cheers.
Post Reply

Return to “General Discussion”