CMSimple Insecure Permissions Vulnerability Allowing Information Disclosure

A vulnerability in CMSimple version 5.16 exists due to insecure permissions, allowing remote attackers to access sensitive information. This is achieved by sending a crafted script to the functionality that downloads PHP backup files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, with the potential for remote code execution, according to the vulnerability's author.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Backup' tab. Intercept the outgoing request when clicking the 'download' button for a content or pagedata file. Change the request action from 'download' to 'edit'. In the code editor, replace the PHP code with a payload that executes system commands, such as a command to display the system's user ID. Save the file, and then execute the payload by accessing the file through the web server.