CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12502] A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15

avatar
Created By: fuzzyap1 (fuzzyap1)
Date Submitted: Thu Dec 09 10:11:15 -0500 2021

Assigned To: CMS Made Simple Foundation (cmsmsfoundation)
Version: 2.1.5
CMSMS Version: 2.1.5
Severity: None
Resolution: Invalid
State: Closed
Summary:
A Remote Command Execution vulnerability on the background in CMS Made Simple 2.2.15
Detailed Description:
A Remote Command Execution vulnerability on the background in CMS Made Simple
2.2.15, at the upload avatar function,
Upload an image containing malicious php code and then change the image
extension to a php file by using the copy function
eventually leads to remote code execution.

Steps to exploit:
1)login as admin http://localhost/admin/moduleinterface.php click 'content' >
'File Manager' >  then  upload an  image containing malicious php code:
payload: phpinfo.png 
content of phpinfo.png :
<script language="php"> phpinfo(); </script>

2)use 'copy' function to copy  phpinfo.png  set 'Target File name' to
phpinfo.php  clink 'copy'
3)open the link of phpinfo.php and php code will be
triggered:http://localhost/uploads/phpinfo.php



History

Comments
avatar
Date: 2023-10-05 23:20
Posted By: Matt Hornsby (DIGI3) (DIGI3)

Please see
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability
      
Updates

Updated: 2024-05-06 10:57
state: Open => Closed

Updated: 2023-10-04 06:36
resolution_id: => 9
severity_id: 1 => 12