#######################################################################################
# Title: LokiCMS Multiple Vulnerabilities through Authorization weakness
# Vendor: http://www.lokicms.com
# Bugs: Arbitrary File Overwrite,Code Injection,File Inclusion,Retrieve Admin's Hash
# Vulnerable Version: LokiCMS 0.3.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Impact: Very High
# Fix: N/A
#######################################################################################
####################
- Description:
####################
LokiCMS is a content management system that is designed to be simple and clear.
Most cms systems are way to complicated if you just want to make a small mostly static site,
LokiCMS allows you to make a simple site with a few clicks.
####################
- Vulnerability:
####################
Its possible for a remote attacker to set "CMS main settings" without admin privileges.
There is a logical weakness in "admin.php" which could result in multiple vulnerabilitis
simply by set "LokiACTION" and desired parameters via http POST method.
####################
- Code Snippet:
####################
# admin.php Lines:24-42
if ( isset ( $_POST ) && isset ( $_POST['LokiACTION'] ) && strlen ( trim ( $_POST['LokiACTION'] )
) > 0 ) {
// we have an action to do
switch ( trim ( $_POST['LokiACTION'] ) ) {
case 'A_LOGOUT': // Logout
unset($_SESSION[PATH]);
break;
case 'A_LOGIN': // Login
if ( isset ( $_POST['login'] ) && sha1 ( $_POST['login'] ) == $c_password )
$_SESSION[PATH] = 'logged in lokicms030';
break;
case 'A_SAVE_G_SETTINGS': //save main settings
writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'],
$_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'],
$_POST['simplelink'], $_POST['code'] );
$c_theme = $_POST['theme'];
include PATH . '/includes/Config.php';
include PATH . '/languages/' . $c_lang . '.lang.php';
$msg = $lang ['admin'] ['expressionSettingsSaved'];
break;
# includes/Functions.php Lines:163-200
function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default,
$c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code )
{
.
.
.
$config = '<?php ' . LINEBREAK;
$config .= '// LokiCMS Config file, You can change settings in this file or via admin.php ' .
LINEBREAK;
$config .= '$c_password = \'' . $c_password . '\'; ' . LINEBREAK;
$config .= '$c_title = \'' . $c_title . '\'; ' . LINEBREAK;
$config .= '$c_header = \'' . $c_header . '\'; ' . LINEBREAK;
$config .= '$c_tagline = \'' . $c_tagline . '\'; ' . LINEBREAK;
$config .= '$c_footnote = \'' . $c_footnote . '\'; ' . LINEBREAK;
$config .= '$c_default = \'' . $c_default . '\'; ' . LINEBREAK;
$config .= '$c_theme = \'' . $c_theme . '\'; ' . LINEBREAK;
$config .= '$c_lang = \'' . $c_lang . '\'; ' . LINEBREAK;
$config .= '$c_modrewrite = ' . $c_modrewrite . '; ' . LINEBREAK;
$config .= '$c_simplelink = ' . $c_simplelink . '; ' . LINEBREAK;
$config .= '$c_code = ' . $c_code . '; ' . LINEBREAK;
$config .= '?>';
$handle = fopen ( 'includes/Config.php', 'w' );
fwrite ( $handle, $config );
fclose ( $handle );
}
####################
- Exploit :
####################
Im not going to release an exploit for this issue because of possible severe damages.
####################
- Solution :
####################
There is no solution at the time of this entry.
####################
- Credit :
####################
Discovered by: trueend5 (trueend5 [at] yahoo com)
This advisory is sponsored by FarsiList:
http://www.farsilist.ir
A Persian Web Based Electronic Maling-List Management System