CVE-2018-1000094
published 2018-03-13CVE-2018-1000094: CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access…
PriorityP261high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
40.55%
98.5th percentile
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/admin/moduleinterface.php
bytes
<?php system($_GET[
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, cve CVE_2018_100009, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Look for POST requests to /admin/moduleinterface.php with mact=FileManager,m1_,upload,0 followed shortly by mact=FileManager,m1_,fileaction,0 with m1_fileactioncopy parameter — this two-step sequence (upload .txt then copy to .php) is the exploit chain. ↗
- →Detect PHP webshell payload in HTTP request body targeting /admin/moduleinterface.php; the ET rule keys on the string '<?php system($_GET[' in the POST body.
- →Monitor the /uploads/ directory for newly created .php files; the exploit copies an uploaded .txt file to shell.php in the web root's uploads directory, which is then directly accessible via HTTP. ↗
- →The exploit uses a base64-encoded serialized PHP array for the m1_selall parameter to reference the uploaded file during the copy/rename step — look for base64 blobs in m1_selall POST fields. ↗
- →The CSRF token parameter '__c' is extracted from the redirect Location header after login and reused in subsequent exploit requests — correlate authenticated sessions making rapid FileManager module calls. ↗
- ·Exploit requires valid admin credentials — this is an authenticated RCE, so detection should focus on admin-authenticated sessions abusing the FileManager module rather than unauthenticated access. ↗
- ·The Metasploit module confirms the vulnerability affects both 2.2.5 and 2.2.7; detections should not be scoped only to 2.2.5. ↗
- ·The ET Snort rule (sid:2025782) contains a metadata field listing 'cve CVE_2018_100009' which appears to be a typo for CVE-2018-1000094; do not rely on the CVE metadata field in that rule for accurate CVE mapping.
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution
suricata·2018-07-05
CVE-2018-1000094 ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution
ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, cve CVE_2018_100009, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
exploitdb·2018-07-04·CVSS 7.2
CVE-2018-1000094 [HIGH] CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
---
# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
# Date: 3rd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
# Version: 2.2.5
# CVE: CVE-2018-1000094
import requests
import base64
base_url = "http://192.168.1.10/cmsms/admin"
upload_dir = "/uploads"
upload_url = base_url.split('/admin')[0] + upload_dir
username = "admin"
password = "password"
csrf_param = "__c"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = ""
def parse_csrf_token(location):
return location.split(csrf_param + "=")[1]
def authenticate():
page = "/login.php"
url = base_url + page
data = {
Metasploit
CMS Made Simple Authenticated RCE via File Upload/Copy
metasploit
CMS Made Simple Authenticated RCE via File Upload/Copy
CMS Made Simple Authenticated RCE via File Upload/Copy
CMS Made Simple allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory. This module has been successfully tested on CMS Made Simple versions 2.2.5 and 2.2.7.
No writeups or analysis indexed.
2018-03-13
Published