• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 3:15 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Mon May 14, 2007 8:01 pm
Posts: 60
Location: Edmond, OK, USA
http://secwatch.org/advisories/1019900/

Bugtraq ID:  BID#27074



Description:

An input validation vulnerability in the TinyMCE module for CMS Made Simple has been reported, which can be exploited by remote users to conduct SQL injection attacks.

User-supplied input passed to the "templateid" parameter in the modules/TinyMCE/content_css.php script is not correctly sanitised before being used in a SQL query.  This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.



Affected:

CMS Made Simple version 1.2.2. Other versions may also be affected.



Proof of Concept:

SQL Injection:
http://[target]/modules/TinyMCE/content_css.php?templateid=[SQL]



Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

EgiX


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 3:27 pm 
Offline
Power Poster
Power Poster

Joined: Tue Dec 13, 2005 10:50 pm
Posts: 1412
Location: Finland
wendor supplied hotfix available now


http://cmsmadesimple.org/pastebin/1440


or uninstall tinymce and remove its files


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 5:03 pm 
Offline
Support Guru
Support Guru

Joined: Mon Jul 24, 2006 3:27 pm
Posts: 3683
Location: Paris
Hello,

thank you for reporting and thanks devs for the hot fix.

johnbmcdonald wrote:
Filter malicious characters and character sequences via (...) URL filtering capabilities.

...as described in CMSms documentation about URL filtering :
http://wiki.cmsmadesimple.org/index.php ... l_Settings

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 5:44 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Mon May 14, 2007 8:01 pm
Posts: 60
Location: Edmond, OK, USA
Your welcome. I am glad to help where I can.

BTW: I juist ran across another page that was modified.

http://www.cmsmadesimple.org/features

John


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 7:47 pm 
Offline
Power Poster
Power Poster
User avatar

Joined: Fri Jun 08, 2007 7:29 pm
Posts: 896
Location: 's-Hertogenbosch, Netherlands
That is a pitty, some more work to do:
the development\roadmap has been changed as well.
:-[

_________________
Want to know more about CMSMS look at my site: http://www.duketown.eu


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 7:53 pm 
Offline
Support Guru
Support Guru

Joined: Mon Jul 24, 2006 3:27 pm
Posts: 3683
Location: Paris
johnbmcdonald wrote:
BTW: I juist ran across another page that was modified.
http://www.cmsmadesimple.org/features


Yes, I have seen.
And I have tried http://www.cmsmadesimple.org/features?s ... d.site.tld
and it is fixed in between (but not filtered). Funny

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Wed Jan 02, 2008 7:55 pm 
Offline
New Member

Joined: Wed Jan 02, 2008 5:38 pm
Posts: 3
I think the template itself was changed not individual pages...


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Fri Jan 04, 2008 8:43 pm 
Offline
New Member

Joined: Fri Jan 04, 2008 8:33 pm
Posts: 8
Hello,

I just came across cmsms today and downloaded 1.2.3 (after trying many others)

Then I came across this thread.

Can anyone tell me if 1.2.3 is now clear as far as the SQL injection, or do I still need to disable or remove tiny mce?

I really feel for the dev team, because I am so impressed by the package when compared with drupal/joomla.

Thank you for any advice.


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Fri Jan 04, 2008 8:44 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7136
Location: Fernie British Columbia, Canada
1.2.3 is the 'fixed version'.  it takes care of the afore mentiond SQL injection vulnerability. 

Go ahead, install, play around.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Fri Jan 04, 2008 8:51 pm 
Offline
New Member

Joined: Fri Jan 04, 2008 8:33 pm
Posts: 8
Thanks very much for the quick reply. Much appreciated.

So is it ok to enable/use the tinymce editor with 1.2.3
?

Thanks again.


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Fri Jan 04, 2008 9:11 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7136
Location: Fernie British Columbia, Canada
Yes, 1.2.3 fixed the vulnerability in Tiny.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....


Top
 Profile  
 
 Post subject: Re: FYI - Found possible new CMSMS Vulnerability
PostPosted: Fri Jan 04, 2008 9:17 pm 
Offline
New Member

Joined: Fri Jan 04, 2008 8:33 pm
Posts: 8
Thank you very much for clarifying that.

Looking forward to becoming familiar with cmsms, maybe asking a few questions, and then hopefully giving a bit back to the community.

Cheers.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting