CMS Made Simple Forums

Posted: **Thu Sep 01, 2005 7:49 am**

I belong to phpsec, a security mailing list and this mail turned up this morning. Not sure if you've seen it yet Wishy?

------ Forwarded Message
From:
Date: 31 Aug 2005 19:18:04 -0000
To:
Subject: CMS Made Simple
--------------------------------------------------------

Exploit:

example.html:

EOF

--------------------------------------------------------

Contact:

Author: Filip Groszynski (VXSfx)
Location: Poland
Email: groszynskif gmail com

-- == -- == -- == -- == -- == -- == -- == -- == -- == --

------ End of Forwarded Message

--
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com

For account maintenance, please visit http://www.phparch.com/phpsec

Reading the example exploit, I'm pretty sure that it can only occur with register_globals set to on. However, still needs fixing.

Possible fix:
Ensure that $onefile is a local file within the expected cmsms directory before including it. (Probably have to store the "expected cms directory" as a define/const maybe?)

Rob...

Posted: **Thu Sep 01, 2005 9:45 am**

Actually, I was going to release a fix this morning. I was just going to make sure $nls and $lang were declared as blank arrays at the top of the page. This way, even if $nls was passed with register_globals on, any offending URLs would get blown away.

Make sense?

Posted: **Thu Sep 01, 2005 12:29 pm**

http://forum.cmsmadesimple.org/index.ph ... 554.0.html

Posted: **Thu Sep 01, 2005 3:25 pm**

Looks good to me.

CMS Made Simple Forums

Security Announce: CMS Made Simple <= 0.10 - PHP injection

Security Announce: CMS Made Simple <= 0.10 - PHP injection

Re: Security Announce: CMS Made Simple <= 0.10 - PHP injection

Re: Security Announce: CMS Made Simple <= 0.10 - PHP injection

Re: Security Announce: CMS Made Simple <= 0.10 - PHP injection