<<< Date Index >>>     <<< Thread Index >>>

LokiCMS Multiple Vulnerabilities through Authorization weakness



#######################################################################################
# Title: LokiCMS Multiple Vulnerabilities through Authorization weakness
# Vendor: http://www.lokicms.com
# Bugs: Arbitrary File Overwrite,Code Injection,File Inclusion,Retrieve Admin's 
Hash
# Vulnerable Version: LokiCMS 0.3.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Impact: Very High
# Fix: N/A
#######################################################################################

####################
- Description:
####################

LokiCMS is a content management system that is designed to be simple and clear.
Most cms systems are way to complicated if you just want to make a small mostly 
static site,
LokiCMS allows you to make a simple site with a few clicks.


####################
- Vulnerability:
####################
Its possible for a remote attacker to set "CMS main settings" without admin 
privileges.
There is a logical weakness in "admin.php" which could result in multiple 
vulnerabilitis 
simply by set "LokiACTION" and desired parameters via http POST method. 


####################
- Code Snippet:
####################

# admin.php Lines:24-42
if ( isset ( $_POST ) && isset ( $_POST['LokiACTION'] ) && strlen ( trim ( 
$_POST['LokiACTION'] )
) > 0 ) {
        // we have an action to do
        switch ( trim ( $_POST['LokiACTION'] ) ) {
                case 'A_LOGOUT': // Logout
                        unset($_SESSION[PATH]);
                        break;
                
                case 'A_LOGIN': // Login
                        if ( isset ( $_POST['login'] ) && sha1 ( 
$_POST['login'] ) == $c_password )
                                $_SESSION[PATH] = 'logged in lokicms030';
                        break;
                
                case 'A_SAVE_G_SETTINGS': //save main settings
                        writeconfig ( $c_password, $_POST['title'], 
$_POST['header'], $_POST['tagline'],
$_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], 
$_POST['modrewrite'],
$_POST['simplelink'], $_POST['code'] );
                        $c_theme = $_POST['theme'];
                        include PATH . '/includes/Config.php';
                        include PATH . '/languages/' . $c_lang . '.lang.php';
                        $msg = $lang ['admin'] ['expressionSettingsSaved'];
                        break;

# includes/Functions.php Lines:163-200
function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, 
$c_footnote, $c_default,
$c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code )
{
        .
        .
        .       
        $config  = '<?php ' . LINEBREAK;
        $config .= '// LokiCMS Config file, You can change settings in this 
file or via admin.php ' .
LINEBREAK;
        $config .= '$c_password    = \'' . $c_password   . '\'; ' . LINEBREAK;
        $config .= '$c_title       = \'' . $c_title      . '\'; ' . LINEBREAK;
        $config .= '$c_header      = \'' . $c_header     . '\'; ' . LINEBREAK;
        $config .= '$c_tagline     = \'' . $c_tagline    . '\'; ' . LINEBREAK;
        $config .= '$c_footnote    = \'' . $c_footnote   . '\'; ' . LINEBREAK;
        $config .= '$c_default     = \'' . $c_default    . '\'; ' . LINEBREAK;
        $config .= '$c_theme       = \'' . $c_theme      . '\'; ' . LINEBREAK;
        $config .= '$c_lang        = \'' . $c_lang       . '\'; ' . LINEBREAK;
        $config .= '$c_modrewrite  = '   . $c_modrewrite . '; ' . LINEBREAK;
        $config .= '$c_simplelink  = '   . $c_simplelink . '; ' . LINEBREAK;
        $config .= '$c_code        = '   . $c_code       . '; ' . LINEBREAK;
        $config .= '?>';
        
        $handle = fopen ( 'includes/Config.php', 'w' );
        fwrite ( $handle, $config );
        fclose ( $handle );
}

####################
- Exploit :
####################
Im not going to release an exploit for this issue because of possible severe 
damages.

####################
- Solution :
####################
There is no solution at the time of this entry.

####################
- Credit :
####################
Discovered by: trueend5 (trueend5 [at] yahoo com)

This advisory is sponsored by FarsiList:
http://www.farsilist.ir
A Persian Web Based Electronic Maling-List Management System