CMS Made Simple (CMSMS) Unauthenticated Remote Code Execution (CVE-2019-9053/CVE-2021-26120)¶

中文版本(Chinese version)

CMS Made Simple (CMSMS) is a free, open source content management system to provide developers, programmers and site owners a web-based development and administration area.

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring, CVE-2021-26120 was assigned to this issue.

CMS Made Simple version <= 2.2.15, a user that is authenticated with designer permissions can trigger a server side template injection, the CVE-2021-26120 mentioned above.

So, if the CMSMS version is prior to 2.2.9.1, unauthencated attacker is able to chain CVE-2019-9053 and CVE-2021-26120 to execute arbitrary code in the server.

References:

• https://srcincite.io/pocs/cve-2021-26120.py.txt
• https://www.exploit-db.com/exploits/46635

Vulnerable Environment¶

Execute following command to start a CMS Made Simple 2.2.9.1:

docker compose up -d

After the server is started, you should install the CMS at http://your-ip/install.php.

Following the install instructions to install the CMSMS, MySQL database address is db, database name is cmsms, username and password are both root.

Exploit¶

Use the POC inside the https://srcincite.io/pocs/cve-2021-26120.py.txt to reset the administrator password and execute arbitrary commands:

python poc.py 127.0.0.1 / id

As you can see, id command has been executed.