http://secwatch.org/advisories/1019900/

Bugtraq ID:  BID#27074



Description:

An input validation vulnerability in the TinyMCE module for CMS Made Simple has been reported, which can be exploited by remote users to conduct SQL injection attacks.

User-supplied input passed to the "templateid" parameter in the modules/TinyMCE/content_css.php script is not correctly sanitised before being used in a SQL query.  This can be exploited by a specially crafted parameter value to execute arbitrary SQL commands on the underlying database.



Affected:

CMS Made Simple version 1.2.2. Other versions may also be affected.



Proof of Concept:

SQL Injection:
http://[target]/modules/TinyMCE/content_css.php?templateid=[SQL]



Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Credits:

EgiX

wendor supplied hotfix available now


http://cmsmadesimple.org/pastebin/1440


or uninstall tinymce and remove its files

Hello,

thank you for reporting and thanks devs for the hot fix.


...as described in CMSms documentation about URL filtering :
http://wiki.cmsmadesimple.org/index.php ... l_Settings

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

Your welcome. I am glad to help where I can.

BTW: I juist ran across another page that was modified.

http://www.cmsmadesimple.org/features

John

That is a pitty, some more work to do:
the development\roadmap has been changed as well.

_________________
Want to know more about CMSMS look at my site: http://www.duketown.eu

Yes, I have seen.
And I have tried http://www.cmsmadesimple.org/features?s ... d.site.tld
and it is fixed in between (but not filtered). Funny

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

I think the template itself was changed not individual pages...

Hello,

I just came across cmsms today and downloaded 1.2.3 (after trying many others)

Then I came across this thread.

Can anyone tell me if 1.2.3 is now clear as far as the SQL injection, or do I still need to disable or remove tiny mce?

I really feel for the dev team, because I am so impressed by the package when compared with drupal/joomla.

Thank you for any advice.

1.2.3 is the 'fixed version'.  it takes care of the afore mentiond SQL injection vulnerability. 

Go ahead, install, play around.

_________________
Follow me on twitter
For quality help follow these instructions:
a) Think about the problem for an hour
b) research the problem for an hour
c) spend 1/2 an hour explaining it and providing as much information as you can muster
(too much information is okay, not enough information may get your question ignored).
--
if you can't bother explaining your problem well, why should we bother helping with it.
----------------
Don't make me angry..... you won't like me when I'm angry....

Thanks very much for the quick reply. Much appreciated.

So is it ok to enable/use the tinymce editor with 1.2.3
?

Thanks again.

Yes, 1.2.3 fixed the vulnerability in Tiny.

_________________
Follow me on twitter
For quality help follow these instructions:
a) Think about the problem for an hour
b) research the problem for an hour
c) spend 1/2 an hour explaining it and providing as much information as you can muster
(too much information is okay, not enough information may get your question ignored).
--
if you can't bother explaining your problem well, why should we bother helping with it.
----------------
Don't make me angry..... you won't like me when I'm angry....

Thank you very much for clarifying that.

Looking forward to becoming familiar with cmsms, maybe asking a few questions, and then hopefully giving a bit back to the community.

Cheers.