Security issues with files & images pages

[GoogleCodeExporter]

Stack has discovered some vulnerabilities in CMS from Scratch, which can be
exploited by malicious users to disclose sensitive information and to
compromise a vulnerable system.

1) Input passed to the "dir" parameter in cms/images.php and cms/files.php
is not properly verified before being used to list directories. This can be
exploited to disclose the content of arbitrary directories.

2) The cms/images.php and cms/files.php scripts fail to validate the
extensions of uploaded files. This can be exploited to upload files with
arbitrary extensions (e.g. ".php") and execute arbitrary PHP code on the
server.

Original issue reported on code.google.com by ben.hunt...@gmail.com on 7 Jun 2008 at 8:50

[GoogleCodeExporter]

Quote from: http://secunia.com/advisories/30448/

I've fixed item 1) for next release, pretty simple, however the threat is
exaggerated, because all the scripts in the cms folder test for logged-in status
before executing anyway, so you'd really need to be logged in as the Designer 
to be
able to access the script in the first place, which means you'd only be 
attacking
your own site.

On point 2) , the Files tab should accept a wide range of file types, but I can
certainly restrict the file types for images easily enough. I'll probably issue 
a new
release in the next week with fixes for these.

Original comment by ben.hunt...@gmail.com on 7 Jun 2008 at 8:53

[GoogleCodeExporter]

New release 1.2.1 implements a quick fix.

Original comment by ben.hunt...@gmail.com on 25 Jun 2008 at 2:29

• Changed state: Fixed