Potential Remote File Inclusion Vulnerability

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 12436
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Potential Remote File Inclusion Vulnerability

Post by cmb » Thu Apr 24, 2014 12:14 pm

Hello Community,

a few days ago a Remote File Inclusion Vulnerability regarding CMSimple 4.4 and 4.4.2 was reported: http://www.exploit-db.com/exploits/32930/. This vulnerability affects CMSimple_XH since 1.5 as well.

The report doesn't mention that an exploit requires register_globals to be enabled (what shouldn't be the case, anyway), so if you have disabled register_globals everything is fine. Otherwise you are strongly encouraged to download and install the appropriate patch:
The patch requires the respective CMSimple_XH version (1.5.10 resp. 1.6.1) to be already installed; if you're running an older version you have to download and install the respective update package first. Then simply upload the files contained in the patch to your website.

German translation

Christoph
Last edited by cmb on Thu Apr 24, 2014 12:16 pm, edited 1 time in total.
Reason: added link to German translation
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Holger
Site Admin
Posts: 2750
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany
Contact:

Re: Potential Remote File Inclusion Vulnerability

Post by Holger » Tue May 06, 2014 8:54 pm

The same vulnerability was found in jQuery4CMSimple too.
More informations can be found in this thread.

Holger

Post Reply