GetSimple CMS 2.01 / 2.02 Credential Disclosure

2010-11-24T00:00:00
ID PACKETSTORM:96097
Type packetstorm
Reporter Michael Brooks
Modified 2010-11-24T00:00:00

Description

                                        
                                            `Researcher: Michael Brooks  
Affecting: GetSimple CMS 2.01 and 2.02  
Fixed:2.03  
Vulnerability: Administrative Credentials Disclosure  
Vendor's Homepage: http://code.google.com/p/get-simple-cms  
  
download url for 2.01: http://www.box.net/get-simple/1/30435008/399754548  
download svn for 2.02(beta): svn checkout  
http://get-simple-cms.googlecode.com/svn/trunk/  
get-simple-cms-read-only  
  
GetSimple does not use a SQL Database. Instead it uses a system of  
.xml files located here: http://127.0.0.1/GetSimple_2.01/data. These  
files are used to maintain application state and organize the  
applications content. The administrators username and password hash  
can be obtained by navigating to the following xml file:  
http://127.0.0.1/GetSimple_2.01/data/other/user.xml  
Passwords are stored using sha1() and a salt is not used by default,  
although a user can configure the application to use one. It is  
trivial to break this hash using John The Ripper or Cain and Able .  
  
All failed login attempts are put into the following XML file, this  
information can greatly reduce the number of guesses that an attacker  
would have to make in order to break the sha1 hash.  
http://127.0.0.1/GetSimple_2.01/data/other/logs/failedlogins.log  
  
There are other interesting files such as a clear text API token can  
be obtained:  
http://127.0.0.1/GetSimple_2.01/data/other/authorization.xml  
  
The patch is simple, in the ./data/ directory add a .htaccess file  
with that contains "deny from all".  
  
`