CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

[johnbmcdonald]

FYI....  New one popped up.

http://secunia.com/advisories/26928/

Description:
irk4z has discovered a vulnerability in CMS Made Simple, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "last_module" parameter in lib/adodb_lite/adodb-perf-module.inc.php is not properly sanitised before being used in a call to "eval()". This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter value.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is confirmed in version 1.1.3.1. Other versions may also be affected.

John

[RonnyK]

Thanks John,

I forwarded to the DEVs

Ronny

[cubix]

Thanks for keeping your ear to the ground John.

The sooner vulnerabilities can fixed the better.

[Ted]

I'm testing this now (it's the same vulnerability as the other day) and I can't confirm that it's still a problem.  Can some other people try this when they get a minute?  I'm wondering if they're either confused or not telling the whole story.

Thanks!

[Bobonov]

I can confirm that the vulnerability has been fixed.

As from the report

Successful exploitation requires that "register_globals" is enabled.

I tried both with register global on and off.

Here follow the massage I get trying the indicated url

Attempt to use ADODB from outside of CMS

I think we should report secunia of the error in the version indicated.

Just a reflection:
as far as I know CMSMS work with register global off, therefore it does not relay on it then it should be immune to such kind of exploit.
therefore the problem is in adodb.

[Pierre M.]

Thank you John for the report.
Thank you Devs for your responsiveness.

I think filtering out URIs with double slashes or brackets or other oddities prevent such attacks to even reach CMSms (rejecting them before the PHP layer). But I'm not a security expert and I have not audited this particular exploit.

Pierre M.