CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12502] A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15

avatar
Created By: fuzzyap1 (fuzzyap1)
Date Submitted: Thu Dec 09 10:11:15 -0500 2021

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.1.5
CMSMS Version: 2.1.5
Severity: Critical
Resolution: None
State: Open
Summary:
A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15
Detailed Description:
A Remote Command Execution vulnerability on the background in CMS Made Simple
2.2.15, at the upload avatar function,
Upload an image containing malicious php code and then change the image
extension to a php file by using the copy function
eventually leads to remote code execution.

Steps to exploit:
1)login as admin http://localhost/admin/moduleinterface.php click 'content' >
'File Manager' >  then  upload an  image containing malicious php code:
payload: phpinfo.png 
content of phpinfo.png :
<script language="php"> phpinfo(); </script>

2)use 'copy' function to copy  phpinfo.png  set 'Target File name' to
phpinfo.php  clink 'copy'
3)open the link of phpinfo.php and php code will be
triggered:http://localhost/uploads/phpinfo.php



History