Page 1 of 1

CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 2:16 am
by johnbmcdonald
FYI....  New one popped up.

http://secunia.com/advisories/26928/

Description:
irk4z has discovered a vulnerability in CMS Made Simple, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "last_module" parameter in lib/adodb_lite/adodb-perf-module.inc.php is not properly sanitised before being used in a call to "eval()". This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter value.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is confirmed in version 1.1.3.1. Other versions may also be affected.

John

Re: CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 5:34 am
by RonnyK
Thanks John,

I forwarded to the DEVs

Ronny

Re: CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 5:38 am
by cubix
Thanks for keeping your ear to the ground John.

The sooner vulnerabilities can fixed the better.

Re: CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 9:50 am
by Ted
I'm testing this now (it's the same vulnerability as the other day) and I can't confirm that it's still a problem.  Can some other people try this when they get a minute?  I'm wondering if they're either confused or not telling the whole story.

Thanks!

Re: CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 11:23 am
by Bobonov
I can confirm that the vulnerability has been fixed.

As from the report

Successful exploitation requires that "register_globals" is enabled.

I tried both with register global on and off.

Here follow the massage I get trying the indicated url

Attempt to use ADODB from outside of CMS

I think we should report secunia of the error in the version indicated.

Just a reflection:
as far as I know CMSMS work with register global off, therefore it does not relay on it then it should be immune to such kind of exploit.
therefore the problem is in adodb.

Re: CMS Made Simple 1.1.3.1 "eval()" Injection Vulnerability

Posted: Tue Sep 25, 2007 4:34 pm
by Pierre M.
Thank you John for the report.
Thank you Devs for your responsiveness.

I think filtering out URIs with double slashes or brackets or other oddities prevent such attacks to even reach CMSms (rejecting them before the PHP layer). But I'm not a security expert and I have not audited this particular exploit.

Pierre M.