Security Evaluation Of NanoCMS

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Security Evaluation of NanoCMS  
  
April 14, 2009  
Version tested: 0.4_final  
by Justin C. Klein Keane <[email protected]>  
  
The text of this report is also available at  
http://www.madirish.net/vulnerabilities/nanocms  
  
NanoCMS (http://nanocms.in) is a PHP based Content Management System  
(CMS). "Nano CMS is the tiniest CMS you can find around. The user  
interface and the functionality are very very simple and extremely easy  
to use. The core feature of NanoCMS is that it is filebased and does  
not use any database at all, which makes it super easy to install - just  
extract and that's it." A brief security evaluation of NanoCMS version  
0.4 final revealed a number of notable security vulnerabilities that  
could allow remote attackers to take complete control of the web server  
process serving NanoCMS.  
  
* NanoCMS utilizes default administrative credentials (admin/demo) which  
can be used to access the administrative portion of the site at  
/data/nanoadmin.php.  
  
* In a default installation the URL to the administrative portion of the  
CMS is displayed at /index.php?page=how-to-install along with the  
default username and password to access the administrative back end.  
  
* NanoCMS installation suggest full read/write permissions (user, group,  
and other (0777)) for the /data/pages and /data/areas directories as  
well as the data/pagesdata.txt files. This is especially dangerous as  
the data/pagesdata.txt contains configuration information including  
administrative username and password hash.  
  
* Semicolon separated, serialized settings variables are stored in a  
plain text file accessible via the web interface at /data/pagesdata.txt.  
These variables include:  
  
s:8:"username";s:5:"admin";  
s:8:"password";s:32:"fe01ce2a7fbac8fafaed7c982a04e229";  
  
This allows for administrative account enumeration. Although the  
password value is stored as an MD5 hash, its availability allows for as  
offline hash cracking.  
  
* Version enumeration is possible by viewing the plain text  
configuration page at /data/pagesdata.txt. The serialized variable  
"version" displays this information in the form:  
  
s:7:"version";s:4:"v_4f";  
  
* Page title field when creating or editing content is vulnerable to  
arbitrary script injection (cross site scripting). For instance, if a  
new page is created with the title "<script>alert('title');</script>" a  
JavaScript alert is displayed on every page the content title is listed.  
This arbitrary script is displayed in multiple areas of the  
administrative back end (editing or listing content) exposing site  
administrators to XSS attacks, as well as via the front end, exposing  
all site users.  
  
* The website name, website slogan, below navigation and copyright  
notice areas controlled in the NanoCMS admin panel on the "Content  
Areas" page (data/nanoadmin.php?action=showareas) are all vulnerable to  
arbitrary HTML, JavaScript and PHP code injection. Each of these areas  
are rendered as flat files with PHP extensions (for instance in  
data/areas/website name.php) causing the web server to parse any PHP  
code contained on these pages when the NanoCMS powered web site is  
displayed. For instance, if the "website name" value is changed from  
the default "NanoCMS v0.4" to "NanoCMS v0.4 <?php echo phpinfo();?>" the  
site's PHP configuration information will be displayed on the site.  
  
* No protection is provided in administrative forms to prevent against  
Cross Site Request Forgery (CSRF) attacks. If a logged in administrator  
was to visit a page that contained a hidden form post to the settings  
URL (data/nanoadmin.php?action=settings) that contained the POST  
variables "save", "username" and "password" the administrative username  
and password would be silently updated as the admin user is not required  
to provide the existing password and no tokens are present to prevent  
the attack.  
  
* Administrative access is controled via the PHP session variable  
NANO_CMS_ADMIN_LOGGED. NanoCMS passes session information via  
plain-text cookies set to expire at the end of the session. Cookie  
theft could grant full administrative control to unauthorized remote  
attackers.  
  
* Any content created in NanoCMS may contain arbitrary PHP code. This  
could enable anyone with the ability to create content to run arbitrary  
commands with the privileges of the web server. For instance, creating  
a new page that contained the content '<?php system("cat  
/etc/passwd");?>' would create a new page that contained as it's body  
the listings of the system password file.  
  
The combination of these vulnerabilities could allow a remote attacker  
to enumerate the administrative username, crack the associated password,  
log into the administrative back end of the NanoCMS, and create a PHP  
interface to take control of the web server process. This would include  
the ability to read and write files on the system.  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSeOoXJEpbGy7DdYAAQLpJgcAsRYrIbzocv8JgJyKonkEvJiV7U6X6WVT  
yA47EvPaI8NPK69/Y6iIQ4LfxuH68DJLflNBc8Kl3GhIt8apNoaVZBt5JPJSaUCO  
xohoM6Q1j7hSGegU2TD7kumNbJbf9YSsIm6qYNpKAaxiu+KpAibUMgXVmezYAbAZ  
+Ek0ZRlXoI/7NKOnr1cAD7ykg7p3uc6aneIfQI4sATU8GfEOYrMVTwU0hNk60Hvg  
MhUPKIheIBWKghdDs8045fSqbauNx3DyseytmSLQonn1VClVVSO6O447hso8iIYY  
TqyE/DMrBWA=  
=umZW  
-----END PGP SIGNATURE-----  
  
`