Directory Traversal (lib/translation.functions.php) (CMS Made Simple) v1.6.x
Description
A directory traversal vulnerability exists in the lib/translation.functions.php file of CMS Made Simple versions prior to 1.6.8. Attackers can exploit this flaw by injecting path traversal sequences (../) into the default_cms_lang parameter when accessing admin scripts such as admin/addbookmark.php. This allows unauthorized users to include and execute arbitrary local files from the server's filesystem, potentially leading to complete system compromise.
Remediation
Immediately upgrade CMS Made Simple to version 1.6.8 or later, which addresses this vulnerability. If immediate upgrading is not possible, implement the following temporary mitigations:
1. Restrict access to the admin directory using web server access controls (IP whitelisting or authentication)
2. Implement input validation to reject requests containing path traversal sequences:
// Sanitize the language parameter
if (isset($_GET['default_cms_lang'])) {
$lang = basename($_GET['default_cms_lang']);
// Ensure no directory traversal characters
if (preg_match('/\.\.[\/\\]/', $_GET['default_cms_lang'])) {
die('Invalid language parameter');
}
}
3. Monitor server logs for suspicious requests containing "../" patterns in the default_cms_lang parameter
4. Consider implementing a Web Application Firewall (WAF) rule to block path traversal attempts