Full Disclosure mailing list archives

Local file inclusion in cmsmadesimple <=2.2.1

From: Wester Zeng <evilzyzeng () outlook com>
Date: Wed, 28 Jun 2017 16:04:26 +0000

=======
Details
=======

Software:cmsmadesimple


Homepage:http://www.cmsmadesimple.org/<http://www.cmsmadesimple.org/><http://www.cmsmadesimple.org/>


version:<=2.2.1


description:The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file 
inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied 
input without proper validation.


========

PoC:

========


For cmsmadesimple <=2.1.6:


The Vulnerability is existing in /cmsms/admin/listtags.php Line 82 and line 54

If there is a file named "1.phpinfo.php" in http://127.0.0.1/1.phpinfo.php

So when we visit the following link:

http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp


local file inclusion successfully!


For cmsmadesimple <=2.2.1:


Current version is still vulnerable.


if ($action == "showpluginhelp") {
    $content = '';
    $file = $find_file("$type.$plugin.php");
    if( is_file($file) ) require_once($file);


=========

Reference

==========


https://lightrains.org/local-file-inclusion-in-cmsmadesimple/




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Local file inclusion in cmsmadesimple <=2.2.1 Wester Zeng (Jun 29)