Hi,
I've tried to contact the developers of CMSMS to report a bug.
It turns out, the bug is over a year old and they've known about it and not fixed it.
The bug allows anyone who can visit the website to read files from your web server.
No developer has made any attempt to reach back out to me since I found it, and it appears to be the same for the people who reported it the year previously too.
There are other bugs in the code, I will continue to document them and produce vulnerability reports to let you, the users of CMSMS know, that by running this code you are at risk.
So I've taken the time to come here and let you know because the developers have ignored this issue.
********** Removed by moderator
It has been assigned an official CVE, so this is a public and known vulnerability which has never been resolved.
It's possible that by continuing to run this code, with known vulnerabilities, that you are in breach of PCI standards, though I am not a lawyer.
Section 6.2 of PCI-DSS 3.1 states:
6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Since running a CMS Made Simple site means that you are knowingly running a system with unpatched vulnerabilities, this could be a problem.
To exploit this vulnability, simply add the following to a CMS Made Simple site URL:
********** Removed by moderator
This will tell the filemanager module to display the file set as m1_file
the m1_file variable is just a base64 encoded relative file path, the example above is ../config.php which will retrieve the database username and password for the site, on default installations.
You could of course take on the task of patching this code yourself, however as I've already stated this is not the only bug in this codebase and if simple bugs like this are unpatched a year after they were made official.
Yes, I've tested the new beta version. No, it's still not fixed and the above proof of concept exploit will work there too.
I'm sorry you've been treated like this by these developers and left in the lurch.
I hope this helps you and stops any potential data breaches on your site.
I'll keep you posted with the new bugs as I find them.
CMSMS sites at risk
Re: CMSMS sites at risk
Actually I've tried this on a couple of sites, 1.12.2 and latest and none did anything especially let me see any files/folders...
Re: CMSMS sites at risk
We actually addressed this issue as soon as it was brought to our attention. Yes, there was a cve filed some time ago which we didn't notice, but unfortunately we don't have the resources to monitor all of the reporting sites regularly.
We receive hundreds of vulnerability reports, and the majority of them are false or don't understand the nature of what a CMS is for. Even this one when the cve was first created, was filed in with 9 other "vulnerabilities" that required an admin to log in first.
In this case, we received an email reporting it, and had the fix out within two hours (version 2.2.12). The person reporting it followed up 90 minutes after advising us with another email saying we were ignoring him and he was taking it public. At this point we decided it was best to not engage with him. Instead, we spent our time testing the patch, creating newsletters, blog posts, forum posts.
This week, we also dealt with a broken dns server, and an ongoing syn attack on our web server. We are a small group of volunteers with jobs, families, and other interests. I stand by the Dev Team in how this was handled.
We receive hundreds of vulnerability reports, and the majority of them are false or don't understand the nature of what a CMS is for. Even this one when the cve was first created, was filed in with 9 other "vulnerabilities" that required an admin to log in first.
In this case, we received an email reporting it, and had the fix out within two hours (version 2.2.12). The person reporting it followed up 90 minutes after advising us with another email saying we were ignoring him and he was taking it public. At this point we decided it was best to not engage with him. Instead, we spent our time testing the patch, creating newsletters, blog posts, forum posts.
This week, we also dealt with a broken dns server, and an ongoing syn attack on our web server. We are a small group of volunteers with jobs, families, and other interests. I stand by the Dev Team in how this was handled.
Not getting the answer you need? CMSMS support options
Re: CMSMS sites at risk
I've noticed this, after finding out about the important new release it took me some time to get on the site to download it.DIGI3 wrote:and an ongoing syn attack on our web server
I'm no particular fan of Cloudflare but maybe their free service could be used to mitigate it?
Re: CMSMS sites at risk
Great job guys!DIGI3 wrote: This week, we also dealt with a broken dns server, and an ongoing syn attack on our web server. We are a small group of volunteers with jobs, families, and other interests. I stand by the Dev Team in how this was handled.
