CMS Made Simple Forums

Hello all,

I would like to know if the following issues are already solved with the latest releases, as the Release Notes are less than clear about which security issues were solved where:

https://github.com/beerpwn/CVE/blob/mas ... _to_RCE.md

and

https://github.com/beerpwn/CVE/blob/mas ... -report.md

Also, if this is the bad place for this kind of questions, please let me know how / where to contact.

Best regards,
greenbonexx

Exploits that require admin credentials generally aren't prioritized. For a more detailed explanation please see https://www.cmsmadesimple.org/community ... nerability

In FileManager/action.upload.php there is a protection for PHP files
why not for PHAR files ?
into the function protected function is_file_acceptable( $file ) ... if( !$config['developer_mode'] )

Calguy regretted putting that one in, as he got that question all the time. In a future version we may extend that functionality so a developer can set a list of denied file types, but it's not a priority. Exploits can be in svg and other files too, so I don't think it's best for us to decide what files a developer allows their admins to upload.