CMSMS eval vulnerability

[postiffm]

Someone just pointed this out to me: https://www.exploit-db.com/exploits/49345. Wondered if a fix is available.

Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.

// Vulnerable eval() code

if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {
...

[Jo Morg]

Sorry but hat is not a vulnerability:

"Reproduction Steps:

1. Login as administrator user and navigate to Extensions->User Defined Tags"

Soooo... you need to login as administrator to hack your own site?.... really???

Please read: https://www.cmsmadesimple.org/community ... nerability

[postiffm]

You would know better than I. Total newb when it comes to things like that. I considered what you said prior to posting. I wondered if they meant this gave you RCE on the webhost's server, not to affect the website you already have admin access to, but to the server more broadly.

[postiffm]

Sorry, the person that pointed this out to me was actually pointing me to a different place than I thought. Maybe this will prove more helpful to the dev team.

MS Made Simple - File upload bypass with .phar extension lead to RCE riccardo krauter (Mar 19)
1) Summary

Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability File upload bypass with .phar extension lead to RCE

2) Vulnerability Description

The vulnerability affect the `FilePicker` module,
it is possible to bypass the restriction and upload a malicious file with `.phar` extension to gain Remote Code
Execution.
This vulnerability is remotely...

CMS Made Simple SQL injection on m1_sortby parameter riccardo krauter (Mar 19)
1) Summary

Affected software CMS Made Simple-2.2.15
Vendor URLhttp://www.cmsmadesimple.org/ <http://www.cmsmadesimple.org/>
Vulnerability SQL injection

2) Vulnerability Description

The affected software is vulnerable to SQL injection via the m1_sortby POST parameter of the News module, reachable via
the moduleinterface.php page.
The `sortby` parameter is sanitized by replacing the `'` with the `_` character, anyway it is...

[Jo Morg]

To be clear my initial comment was related to the RCE not your post which is a pertinent question.
WRT to your last post: do you have a link that we can follow? Thanks.

[postiffm]

https://seclists.org/fulldisclosure/ and search for 2.2.15

[Jo Morg]

Looking at those I'll refer you back to my original reply since they all require authentication. There are situations where we may tighten up a bit security specifically where there is a risk of escalation of rights and there is no mitigation via permission granularity and we'll do it as time permits as it is stated in the link I posted. Other than those we pay particular attention to, and try to fix, those that don't require authentication as those are the ones that are extremely dangerous. And we do it as fast as we can and in a collaborative way whenever possible.