frogcms-traversexss.txt
Posted on 26 March 2009
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Evaluation of Frog CMS Version tested: 0.9.4 by Justin C. Klein Keane <justin@madirish.net> This advisory is also posted at http://www.madirish.net/vulnerabilities/frog-cms Frog CMS (http://www.madebyfrog.com/) is a lightweight content management system written in PHP that supports several back-end databases (including MySQL). "Frog CMS simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management." Frog CMS uses a robust, object oriented PHP codebase that eliminates many of the most common web application vulnerabilities found in PHP. Frog CMS does, however, have some deficiencies that should be cause for concern. The following are issues identified during a short code audit of the application: * Frog CMS encourages the use of root user MySQL connection by defaulting to that user and leaving the "Database password" field blank in the installation script. * Frog CMS requires config.php and the public/ directory to be Apache writable. This exposes these files to modification by the web server process. This is especially dangerous because the PHP constant TABLE_PREFIX is defined in config.php and is not sanitized when used in SQL queries throughout the application, which exposes the possibility of SQL injection. * Frog CMS utilizes a default administration username and password (admin/password) * Frog CMS allows enumeration of user e-mail accounts using the "Forgot password" functionality (admin/?/login/forgot) which will return a "No user found!" error if no e-mail address is registered. * Frog CMS users with rights to create content can inject arbitrary content in page headers by manipulating the keywords and descriptions field. For instance, entering: "/><script>alert('keyword');</script><script src=" for the keyword value will cause a JavaScript alert to show when the article is viewed (or edited). This vector could be used to attack the administrative account. * Frog CMS administrative back end screens are vulnerable to cross site request forgery (http://en.wikipedia.org/wiki/CSRF). This means that users who are logged in to Frog's website are vulnerable to other sites carrying out form posts or other manipulation using credentials already supplied to Frog by the user. * PHP tags in content are interpreted when pages are requested via Frog CMS. This allows for arbitrary PHP injection in content. * By design Frog CMS's file manager in the administrative interface allows for the upload of arbitrary files. * The Frog CMS file manager plugin allows for the reading of arbitrary system files, for instance, a user with file manager privileges browsing the URL frog/admin/?/plugin/file_manager/view/../../../../../../../etc/passwd exposes the system passwd file. * Frog CMS utilizes a non-standard naming convention for it's htaccess file (_.htaccess) which allows this file to be viewed under most configurations. * Frog CMS contains a 'changelog.txt' file in the root directory which can be used for version enumeration. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSct1U5EpbGy7DdYAAQJ2Rgb+MyLlpvKRMu02HkWlHzxOGfLJJhYb3b9P Bo7nThIDJVzSslg04rPh7HsYGMMJkAAqWxbha+2l/eZCHtgwwp+S7HTT6F4zobqc iVM5jyLkz3MNvBYQkXyuEcuJdwNm7eP4mgg1D7N5zuWmqAvUR0aVMaGUKgIhAG0w gx8Hb0MywH6fOBTnVXMMOcFEG4+Lo9j9zegyqhFjZcT5BS8XN2SPIM1eqYMNUIO7 ZxcamoiO3m4v67thFJdotvkcgpNCaJD44etbCJm0WKGrn2nMZR+OVz3/HbL53G75 Ys0RoRydBXM= =CPYx -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
