SEC-20051107-0.txt

`SEC-CONSULT Security Advisory 20051107-0  
=============================================================================  
title: toendaCMS multiple vulnerabilites  
program: toendaCMS  
vulnerable version: <0.6.2  
homepage: www.toenda.com  
found: 2005-10-25  
by: Bernhard Mueller / SEC-CONSULT /  
www.sec-consult.com  
=============================================================================  
  
Vendor description:  
---------------  
  
The toendaCMS Content Management and Weblogging tool gives you a modern,  
professional publishing system, based on an SQL and/or XML database.  
  
  
Vulnerabilty overview:  
---------------  
  
toendaCMS contains various security flaws. These include:  
  
* theft of CMS usernames and passwords (XML database mode)  
* session theft (XML database mode)  
* directory traversal / reading of arbitrary files (XML database mode)  
* arbitrary file uploads  
  
  
Vulnerability details:  
---------------  
  
1) Account data is stored within the webroot (XML mode):  
  
http://tcms.webserver.com/data/tcms_user/<random-val>.xml, where <random  
val> is string composed of 5 bytes (e.g. 2ac336ff0d.xml). Each XML file  
contains username (base64) and password (MD5) of a single user.  
  
This is particularly dangerous if the webserver allows directory listing.  
  
  
2) Session data is stored within the webroot:  
  
http://tcms.webserver.com/engine/admin/<user-id>.xml (XML mode). The  
session files are created once a user logs in to the CMS, so we just  
have to monitor this directory to steal his credentials.  
  
This is particularly dangerous if the webserver allows directory listing.  
  
  
3) Directory Traversal / reading of arbitrary files (XML mode):  
  
http://tcms.webserver.com/engine/admin/admin.php?id_user=  
../../../../../../etc/passwd  
  
  
4) Arbitrary file uploads:  
  
Once we have gained access to the administrator interface, we can use  
the gallery scripts to upload arbitrary files to:  
  
http://tcms.webserver.com/data/images/albums/  
  
No content-type or file validation checks are in place, so this is the  
easiest way to get shell access.  
  
  
Additional Remarks:  
---------------  
  
These flaws were found during a pentest, in an environment with  
MAGIC_QUOTES_GPC activated. Please do NOT try to use toendaCMS without  
MAGIC_QUOTES and other safeguards, unless you plan to run a honeypot or  
have another particular reason for being very vulnerable.  
  
  
Vendor status:  
---------------  
vendor notified: 2005-10-26  
vendor response: 2005-10-30  
patch available: 2005-11-01  
  
  
The issues described in this advisory have been addressed in the latest  
version of toendaCMS (0.6.2 stable). Download at:  
  
http://www.toenda.com/de/data/files/Software/toendaCMS_Version_0.6.0_Stable/toendaCMS_0.6.2_Stable.zip  
  
  
General remarks  
---------------  
We would like to apologize in advance for potential nonconformities  
and/or known issues.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 409 0307 - 570  
Fax.: +43 / 1 / 409 0307 - 590  
Mail: office at sec-consult dot com  
www.sec-consult.com  
  
EOF Bernhard Mueller / @2005  
bmu at sec-consult dot com  
`