CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12191] Authenticated Remote code Execution

avatar
Created By: Yosri Debaibi (Debaibi)
Date Submitted: Fri Nov 15 10:05:45 -0500 2019

Assigned To: Robert Campbell (calguy1000)
Version: 2.2.12
CMSMS Version: 2.2.12
Severity: Critical
Resolution: Awaiting Response
State: Open
Summary:
Authenticated Remote code Execution
Detailed Description:
The file manager allows admin users to upload files to the application, the
upload function prevent any php extension from getting uploaded. however the .
phar extension is not restricted (.phar is a php extension), therefore an
authenticated attacker is able to upload a malicious file within this
extenstion(exemple: shell.phar) and gaining a remote code execution on the
server.


1)login with admin 
2) go to site Admin> File manager> upload
3) upload shell.phar which contains <?php system('whoami'); ?>
4) go to the uploads/ directory and execute the malicious file.


History

Updates

Updated: 2019-11-15 10:16
assigned_to_id: 100 => 106

Updated: 2019-11-15 10:07
resolution_id: 5 => 10

Updated: 2019-11-15 10:06
resolution_id: => 5
severity_id: 2 => 1