Multiple Vulnerabilities in LucidCMS Apr 02 2006 06:07AM
crasher kecoak or id
Multiple Vulnerabilities in LucidCMS

Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,1st 2006
Location : Indonesia, Cilacap

--- Software description

lucidCMS is a simple and flexible content management system for
the individual or organization that wishes to manage a collection
of web pages without the overhead and complexity of other available
open source "community" CMS options.

HOME : http://lucidCMS.net
Version : 2.0.0 RC4

--- The bugs

There's 2 bugs.XSS and full path disclosures

--- PoC

1. XSS a.k.a Cross site scripting

How the Proof of concepts ?


example :'><script>al
ert(document.cookie)</script>'><h1>Bla bla
bla</h1>'><script>alert('patch your

2. Full path disclosures

in /lucid_phplib/translator.php


Warning: opendir(DIR_LANG): failed to open dir: No such file or directory in
/var/www/html/lucidcms/lucid_phplib/translator.php on line 45

Warning: readdir(): supplied argument is not a valid Directory resource in
/var/www/html/lucidcms/lucid_phplib/translator.php on line 46

Where's the problem ???

function get_languages(){
$langs = array();
$dir = opendir(DIR_LANG); <-- This is the trouble
while($name = readdir($dir)) { <-- and this too
if ($name == '.' || $name== '..') continue;
$langFile = DIR_LANG.$name.'/LC_MESSAGES/'.CONFIG_DOMAIN.'.mo';
if (file_exists($langFile)) {
// $GLOBALS['echoLater'][] = $langFile; //troublshooting...
$langs[] = $name;
return $langs;

--- vendor

I'm too lazy :D .

--- shoutz

1. kecoak

2. echo staff (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
anonymous, the day)
3. ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,negative,sakitjiwa

--- contact

crasher (at) kecoak.or (dot) id [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus