Arbitrary Remote File Upload exploit due to uploadview.php??

[planegoofy]

My ISP recently deactivated my account due to the following exploit in Filemanagers uploadview.php file. See the following links for more information.

http://www.securityfocus.com/bid/47637
http://www.exploit-id.com/web-applicati ... ade-simple

I realize both reference CMSMS 1.9.4.1 but I saw no reference to this being fixed in 1.9.4.2 , on the boards or any recent updates to the filemanager package.

I now have access to the site and nothing appeared to have been changed but I reinstalled from fresh 1.9.4.2 and brought over my database. I filed a bug report on June 13th and was wondering if this a legitimate exploit that I need to worry about. Thanks.

Jeff

[calguy1000]

Okay, I'm going to put this issue to bed... seems I'm the only one that has bothered to look into it (except for the first link you supplied that said unquote "Not Vulnerable").

The absolute first two lines of this file other than the opening <?php line
state:
if (!isset($gCms)) exit;
if (!$this->CheckPermission('Modify Files')) exit;

which means that this function will do nothing UNLESS this function is called from within CMSMS AND the currently logged in admin user cannot do the action unless he has permission.

SO: under normal circumstances (your server would have to be REALLY insecure to allow this). The user has to be logged in to CMSMS with the same browser AND have the supplied permission.

Nuf said.

BTW... Please don't double post. I'll delete them both next time.