CMSMS sites at risk
Posted: Mon Sep 23, 2019 1:48 am
Hi,
I've tried to contact the developers of CMSMS to report a bug.
It turns out, the bug is over a year old and they've known about it and not fixed it.
The bug allows anyone who can visit the website to read files from your web server.
No developer has made any attempt to reach back out to me since I found it, and it appears to be the same for the people who reported it the year previously too.
There are other bugs in the code, I will continue to document them and produce vulnerability reports to let you, the users of CMSMS know, that by running this code you are at risk.
So I've taken the time to come here and let you know because the developers have ignored this issue.
********** Removed by moderator
It has been assigned an official CVE, so this is a public and known vulnerability which has never been resolved.
It's possible that by continuing to run this code, with known vulnerabilities, that you are in breach of PCI standards, though I am not a lawyer.
Section 6.2 of PCI-DSS 3.1 states:
6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Since running a CMS Made Simple site means that you are knowingly running a system with unpatched vulnerabilities, this could be a problem.
To exploit this vulnability, simply add the following to a CMS Made Simple site URL:
********** Removed by moderator
This will tell the filemanager module to display the file set as m1_file
the m1_file variable is just a base64 encoded relative file path, the example above is ../config.php which will retrieve the database username and password for the site, on default installations.
You could of course take on the task of patching this code yourself, however as I've already stated this is not the only bug in this codebase and if simple bugs like this are unpatched a year after they were made official.
Yes, I've tested the new beta version. No, it's still not fixed and the above proof of concept exploit will work there too.
I'm sorry you've been treated like this by these developers and left in the lurch.
I hope this helps you and stops any potential data breaches on your site.
I'll keep you posted with the new bugs as I find them.
I've tried to contact the developers of CMSMS to report a bug.
It turns out, the bug is over a year old and they've known about it and not fixed it.
The bug allows anyone who can visit the website to read files from your web server.
No developer has made any attempt to reach back out to me since I found it, and it appears to be the same for the people who reported it the year previously too.
There are other bugs in the code, I will continue to document them and produce vulnerability reports to let you, the users of CMSMS know, that by running this code you are at risk.
So I've taken the time to come here and let you know because the developers have ignored this issue.
********** Removed by moderator
It has been assigned an official CVE, so this is a public and known vulnerability which has never been resolved.
It's possible that by continuing to run this code, with known vulnerabilities, that you are in breach of PCI standards, though I am not a lawyer.
Section 6.2 of PCI-DSS 3.1 states:
6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Since running a CMS Made Simple site means that you are knowingly running a system with unpatched vulnerabilities, this could be a problem.
To exploit this vulnability, simply add the following to a CMS Made Simple site URL:
********** Removed by moderator
This will tell the filemanager module to display the file set as m1_file
the m1_file variable is just a base64 encoded relative file path, the example above is ../config.php which will retrieve the database username and password for the site, on default installations.
You could of course take on the task of patching this code yourself, however as I've already stated this is not the only bug in this codebase and if simple bugs like this are unpatched a year after they were made official.
Yes, I've tested the new beta version. No, it's still not fixed and the above proof of concept exploit will work there too.
I'm sorry you've been treated like this by these developers and left in the lurch.
I hope this helps you and stops any potential data breaches on your site.
I'll keep you posted with the new bugs as I find them.