CMSMS v2.2.5 Vulnerable to Code Execution on The Server Through File Upload

A vulnerability labelled CVE-2018-1000094 has been discovered in version 2.2.5 of CMS Made Simple in which a text file can be used to execute php or other code. This vulnerability exists because there is no verification of file names and extensions, lending itself to the exploit that when an administrator account copies a file onto the server using the file manager, the file’s name and extension are not verified and so a malicious text file may be rendered as .php and run malicious code on the device automatically. The vulnerability has been graded 6.5 on the CVSS 3.0 and it has been given an exploitability subscore of 8/10. It is exploitable within the network, relatively simple to exploit, and requires only one time authentication for administrator rights.

The following code authored by Mustafa Hasan shows proof of concept of this vulnerability.

It seems that there is no fix for this vulnerability yet. Analysts have remarked that this vulnerability is mitigated from any adverse consequences by ensuring that the administrator is reliable, his/her credentials are not compromised, and server policies are put in place to manage the rights and permissions of users.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.