CMS Made Simple <= 0.10 - PHP injection

2005-09-02T00:00:00
ID SECURITYVULNS:DOC:9638
Type securityvulns
Reporter Securityvulns
Modified 2005-09-02T00:00:00

Description

-- == -- == -- == -- == -- == -- == -- == -- == -- == -- Name: CMS Made Simple - PHP injection Version <= 0.10 Homepage: http://www.cmsmadesimple.org/

Author: Filip Groszynski (VXSfx) Date: 31 August 2005 -- == -- == -- == -- == -- == -- == -- == -- == -- == --

Background:

CMS Made Simple is an easy to use content managment system for simple stable content site. Uses PHP, MySQL and Smarty templating system.


Vulnerable code exist in ./admin/lang.php:

<?php ... $current_language = "en_US";

Only do language stuff for admin pages

[!] if (isset($CMS_ADMIN_PAGE)) { ...

Check to see if there is already a language in use...

if (isset($_POST["change_cms_lang"])) { [!] $current_language = $_POST["change_cms_lang"]; setcookie("cms_language", $_POST["change_cms_lang"]); } else if (isset($_COOKIE["cms_language"])) { $current_language = $_COOKIE["cms_language"]; } else { ... }

Ok, we have a language to load, let's load it already...

if (isset($nls['file'][$current_language])) { foreach ($nls['file'][$current_language] as $onefile) { [!] include($onefile); } } ... } ... ?>