CMS MADE SIMPLE FORGE

CMS Made Simple Core

Back to List

[#12502] A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15

Created By: fuzzyap1 (fuzzyap1)

Date Submitted: Thu Dec 09 10:11:15 -0500 2021

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)

Version: 2.1.5

CMSMS Version: 2.1.5

Severity: None

Resolution: Invalid

State: Open

Summary:

A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15

Detailed Description:

A Remote Command Execution vulnerability on the background in CMS Made Simple
2.2.15, at the upload avatar function,
Upload an image containing malicious php code and then change the image
extension to a php file by using the copy function
eventually leads to remote code execution.

Steps to exploit:
1)login as admin http://localhost/admin/moduleinterface.php click 'content' >
'File Manager' >  then  upload an  image containing malicious php code：
payload: phpinfo.png 
content of phpinfo.png :
<script language="php"> phpinfo(); </script>

2)use 'copy' function to copy  phpinfo.png  set 'Target File name' to
phpinfo.php  clink 'copy'
3)open the link of phpinfo.php and php code will be
triggered:http://localhost/uploads/phpinfo.php

History

Date: 2023-10-05 23:20
Posted By: Matt Hornsby (DIGI3) (DIGI3)

Please see
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability

Updated: 2023-10-04 06:36
resolution_id: => 9
severity_id: 1 => 12

CMSMS | CMS Made Simple

CMS MADE SIMPLE FORGE

CMS Made Simple Core

[#12502] A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15

History