CMS Made Simple Path Traversal Vulnerability in UserGuide Module XML Import

A path traversal vulnerability has been identified in CMS Made Simple (CMSMS) versions through 2.2.22. The issue resides in the UserGuide module's XML import functionality, specifically within the '_copyFilesToFolder' function of 'modules/UserGuide/lib/class.UserGuideImporterExporter.php'. This vulnerability allows authenticated administrators to upload arbitrary files to any location on the server filesystem, potentially leading to remote code execution. The vulnerability arises because the function fails to properly sanitize user-supplied filenames and directory paths from imported XML files, allowing for the injection of path traversal sequences.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential for complete server compromise, access to the database and its data, lateral movement within the network, installation of a persistent backdoor, and the possibility of supply chain attacks.

Reproduction

To reproduce this vulnerability, an authenticated administrator must log into the CMS Made Simple admin panel and navigate to the UserGuide module's XML import feature. Once there, upload a crafted XML file that includes path traversal sequences in the 'filename' element and base64-encoded malicious PHP code in the 'data' element. The vulnerable function will then write the file to an arbitrary location on the server. After the upload, the administrator can access the uploaded web shell via an HTTP request, achieving remote code execution.

Remediation

It is recommended to implement strict validation on the 'filename' to reject path traversal sequences, use basename() to extract only the filename, whitelist allowed file extensions and characters, and ensure files can only be written to designated upload directories.