Frog CMS 0.9.4 Traversal / XSS

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Security Evaluation of Frog CMS  
  
Version tested: 0.9.4  
by Justin C. Klein Keane <[email protected]>  
  
This advisory is also posted at  
http://www.madirish.net/vulnerabilities/frog-cms  
  
Frog CMS (http://www.madebyfrog.com/) is a lightweight content  
management system written in PHP that supports several back-end  
databases (including MySQL). "Frog CMS simplifies content management by  
offering an elegant user interface, flexible templating per page, simple  
user management and permissions, as well as the tools necessary for file  
management."  
  
Frog CMS uses a robust, object oriented PHP codebase that eliminates  
many of the most common web application vulnerabilities found in PHP.  
Frog CMS does, however, have some deficiencies that should be cause for  
concern. The following are issues identified during a short code audit  
of the application:  
  
* Frog CMS encourages the use of root user MySQL connection by  
defaulting to that user and leaving the "Database password" field blank  
in the installation script.  
  
* Frog CMS requires config.php and the public/ directory to be Apache  
writable. This exposes these files to modification by the web server  
process. This is especially dangerous because the PHP constant  
TABLE_PREFIX is defined in config.php and is not sanitized when used in  
SQL queries throughout the application, which exposes the possibility of  
SQL injection.  
  
* Frog CMS utilizes a default administration username and password  
(admin/password)  
  
* Frog CMS allows enumeration of user e-mail accounts using the "Forgot  
password" functionality (admin/?/login/forgot) which will return a "No  
user found!" error if no e-mail address is registered.  
  
* Frog CMS users with rights to create content can inject arbitrary  
content in page headers by manipulating the keywords and descriptions  
field. For instance, entering:  
  
"/><script>alert('keyword');</script><script src="  
  
for the keyword value will cause a JavaScript alert to show when the  
article is viewed (or edited). This vector could be used to attack the  
administrative account.  
  
* Frog CMS administrative back end screens are vulnerable to cross site  
request forgery (http://en.wikipedia.org/wiki/CSRF). This means that  
users who are logged in to Frog's website are vulnerable to other sites  
carrying out form posts or other manipulation using credentials already  
supplied to Frog by the user.  
  
* PHP tags in content are interpreted when pages are requested via Frog  
CMS. This allows for arbitrary PHP injection in content.  
  
* By design Frog CMS's file manager in the administrative interface  
allows for the upload of arbitrary files.  
  
* The Frog CMS file manager plugin allows for the reading of arbitrary  
system files, for instance, a user with file manager privileges browsing  
the URL  
frog/admin/?/plugin/file_manager/view/../../../../../../../etc/passwd  
exposes the system passwd file.  
  
* Frog CMS utilizes a non-standard naming convention for it's htaccess  
file (_.htaccess) which allows this file to be viewed under most  
configurations.  
  
* Frog CMS contains a 'changelog.txt' file in the root directory which  
can be used for version enumeration.  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSct1U5EpbGy7DdYAAQJ2Rgb+MyLlpvKRMu02HkWlHzxOGfLJJhYb3b9P  
Bo7nThIDJVzSslg04rPh7HsYGMMJkAAqWxbha+2l/eZCHtgwwp+S7HTT6F4zobqc  
iVM5jyLkz3MNvBYQkXyuEcuJdwNm7eP4mgg1D7N5zuWmqAvUR0aVMaGUKgIhAG0w  
gx8Hb0MywH6fOBTnVXMMOcFEG4+Lo9j9zegyqhFjZcT5BS8XN2SPIM1eqYMNUIO7  
ZxcamoiO3m4v67thFJdotvkcgpNCaJD44etbCJm0WKGrn2nMZR+OVz3/HbL53G75  
Ys0RoRydBXM=  
=CPYx  
-----END PGP SIGNATURE-----  
  
`