Security Announce: CMS Made Simple <= 0.10 - PHP injection

[Akrabat]

I belong to phpsec, a security mailing list and this mail turned up this morning.  Not sure if you've seen it yet Wishy?

------ Forwarded Message
From:
Date: 31 Aug 2005 19:18:04 -0000
To:
Subject: CMS Made Simple
  --------------------------------------------------------

  Exploit:

example.html:
 
 
 
 
EOF

  --------------------------------------------------------

  Contact:

      Author: Filip Groszynski (VXSfx)
      Location: Poland
      Email: groszynskif gmail com

  -- == -- == -- == -- == -- == -- == -- == -- == -- == --


------ End of Forwarded Message



--
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com

For account maintenance, please visit http://www.phparch.com/phpsec

Reading the example exploit, I'm pretty sure that it can only occur with register_globals set to on. However, still needs fixing.

Possible fix:
Ensure that $onefile is a local file within the expected cmsms directory before including it. (Probably have to store the "expected cms directory" as a define/const maybe?)


Rob...

[Ted]

Actually, I was going to release a fix this morning.  I was just going to make sure $nls and $lang were declared as blank arrays at the top of the page.  This way, even if $nls was passed with register_globals on, any offending URLs would get blown away.

Make sense?

[Ted]

http://forum.cmsmadesimple.org/index.ph ... 554.0.html

[Akrabat]

Looks good to me.