####################################################################################### # Title: LokiCMS Multiple Vulnerabilities through Authorization weakness # Vendor: http://www.lokicms.com # Bugs: Arbitrary File Overwrite,Code Injection,File Inclusion,Retrieve Admin's Hash # Vulnerable Version: LokiCMS 0.3.4 (prior versions also may be affected) # Exploitation: Remote with browser # Impact: Very High # Fix: N/A ####################################################################################### #################### - Description: #################### LokiCMS is a content management system that is designed to be simple and clear. Most cms systems are way to complicated if you just want to make a small mostly static site, LokiCMS allows you to make a simple site with a few clicks. #################### - Vulnerability: #################### Its possible for a remote attacker to set "CMS main settings" without admin privileges. There is a logical weakness in "admin.php" which could result in multiple vulnerabilitis simply by set "LokiACTION" and desired parameters via http POST method. #################### - Code Snippet: #################### # admin.php Lines:24-42 if ( isset ( $_POST ) && isset ( $_POST['LokiACTION'] ) && strlen ( trim ( $_POST['LokiACTION'] ) ) > 0 ) { // we have an action to do switch ( trim ( $_POST['LokiACTION'] ) ) { case 'A_LOGOUT': // Logout unset($_SESSION[PATH]); break; case 'A_LOGIN': // Login if ( isset ( $_POST['login'] ) && sha1 ( $_POST['login'] ) == $c_password ) $_SESSION[PATH] = 'logged in lokicms030'; break; case 'A_SAVE_G_SETTINGS': //save main settings writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'], $_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'], $_POST['simplelink'], $_POST['code'] ); $c_theme = $_POST['theme']; include PATH . '/includes/Config.php'; include PATH . '/languages/' . $c_lang . '.lang.php'; $msg = $lang ['admin'] ['expressionSettingsSaved']; break; # includes/Functions.php Lines:163-200 function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default, $c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code ) { . . . $config = '<?php ' . LINEBREAK; $config .= '// LokiCMS Config file, You can change settings in this file or via admin.php ' . LINEBREAK; $config .= '$c_password = \'' . $c_password . '\'; ' . LINEBREAK; $config .= '$c_title = \'' . $c_title . '\'; ' . LINEBREAK; $config .= '$c_header = \'' . $c_header . '\'; ' . LINEBREAK; $config .= '$c_tagline = \'' . $c_tagline . '\'; ' . LINEBREAK; $config .= '$c_footnote = \'' . $c_footnote . '\'; ' . LINEBREAK; $config .= '$c_default = \'' . $c_default . '\'; ' . LINEBREAK; $config .= '$c_theme = \'' . $c_theme . '\'; ' . LINEBREAK; $config .= '$c_lang = \'' . $c_lang . '\'; ' . LINEBREAK; $config .= '$c_modrewrite = ' . $c_modrewrite . '; ' . LINEBREAK; $config .= '$c_simplelink = ' . $c_simplelink . '; ' . LINEBREAK; $config .= '$c_code = ' . $c_code . '; ' . LINEBREAK; $config .= '?>'; $handle = fopen ( 'includes/Config.php', 'w' ); fwrite ( $handle, $config ); fclose ( $handle ); } #################### - Exploit : #################### Im not going to release an exploit for this issue because of possible severe damages. #################### - Solution : #################### There is no solution at the time of this entry. #################### - Credit : #################### Discovered by: trueend5 (trueend5 [at] yahoo com) This advisory is sponsored by FarsiList: http://www.farsilist.ir A Persian Web Based Electronic Maling-List Management System