| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PS1PR04MB1705E48E7DDD9B9A4801E816DFDD0@PS1PR04MB1705.apcprd04.prod.outlook.com>
Date: Wed, 28 Jun 2017 16:04:26 +0000
From: Wester Zeng <evilzyzeng@...look.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Local file inclusion in cmsmadesimple <=2.2.1
=======
Details
=======
Software:cmsmadesimple
Homepage:http://www.cmsmadesimple.org/<http://www.cmsmadesimple.org/><http://www.cmsmadesimple.org/>
version:<=2.2.1
description:The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
========
PoC:
========
For cmsmadesimple <=2.1.6:
The Vulnerability is existing in /cmsms/admin/listtags.php Line 82 and line 54
If there is a file named "1.phpinfo.php" in http://127.0.0.1/1.phpinfo.php
So when we visit the following link:
http://127.0.0.1/cmsms/admin/listtags.php?_sk_=08852e62af02bc03&action=showpluginhelp
local file inclusion successfully!
For cmsmadesimple <=2.2.1:
Current version is still vulnerable.
if ($action == "showpluginhelp") {
$content = '';
$file = $find_file("$type.$plugin.php");
if( is_file($file) ) require_once($file);
=========
Reference
==========
https://lightrains.org/local-file-inclusion-in-cmsmadesimple/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists