NanoCMS Multiple Vulnerabilities

2009.04.14
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Evaluation of NanoCMS April 14, 2009 Version tested: 0.4_final by Justin C. Klein Keane <justin_at_madirish&#46;net> The text of this report is also available at http://www.madirish.net/vulnerabilities/nanocms NanoCMS (http://nanocms.in) is a PHP based Content Management System (CMS). "Nano CMS is the tiniest CMS you can find around. The user interface and the functionality are very very simple and extremely easy to use. The core feature of NanoCMS is that it is filebased and does not use any database at all, which makes it super easy to install - just extract and that's it." A brief security evaluation of NanoCMS version 0.4 final revealed a number of notable security vulnerabilities that could allow remote attackers to take complete control of the web server process serving NanoCMS. * NanoCMS utilizes default administrative credentials (admin/demo) which can be used to access the administrative portion of the site at /data/nanoadmin.php. * In a default installation the URL to the administrative portion of the CMS is displayed at /index.php?page=how-to-install along with the default username and password to access the administrative back end. * NanoCMS installation suggest full read/write permissions (user, group, and other (0777)) for the /data/pages and /data/areas directories as well as the data/pagesdata.txt files. This is especially dangerous as the data/pagesdata.txt contains configuration information including administrative username and password hash. * Semicolon separated, serialized settings variables are stored in a plain text file accessible via the web interface at /data/pagesdata.txt. These variables include: s:8:"username";s:5:"admin"; s:8:"password";s:32:"fe01ce2a7fbac8fafaed7c982a04e229"; This allows for administrative account enumeration. Although the password value is stored as an MD5 hash, its availability allows for as offline hash cracking. * Version enumeration is possible by viewing the plain text configuration page at /data/pagesdata.txt. The serialized variable "version" displays this information in the form: s:7:"version";s:4:"v_4f"; * Page title field when creating or editing content is vulnerable to arbitrary script injection (cross site scripting). For instance, if a new page is created with the title "<script>alert('title');</script>" a JavaScript alert is displayed on every page the content title is listed. This arbitrary script is displayed in multiple areas of the administrative back end (editing or listing content) exposing site administrators to XSS attacks, as well as via the front end, exposing all site users. * The website name, website slogan, below navigation and copyright notice areas controlled in the NanoCMS admin panel on the "Content Areas" page (data/nanoadmin.php?action=showareas) are all vulnerable to arbitrary HTML, JavaScript and PHP code injection. Each of these areas are rendered as flat files with PHP extensions (for instance in data/areas/website name.php) causing the web server to parse any PHP code contained on these pages when the NanoCMS powered web site is displayed. For instance, if the "website name" value is changed from the default "NanoCMS v0.4" to "NanoCMS v0.4 <?php echo phpinfo();?>" the site's PHP configuration information will be displayed on the site. * No protection is provided in administrative forms to prevent against Cross Site Request Forgery (CSRF) attacks. If a logged in administrator was to visit a page that contained a hidden form post to the settings URL (data/nanoadmin.php?action=settings) that contained the POST variables "save", "username" and "password" the administrative username and password would be silently updated as the admin user is not required to provide the existing password and no tokens are present to prevent the attack. * Administrative access is controled via the PHP session variable NANO_CMS_ADMIN_LOGGED. NanoCMS passes session information via plain-text cookies set to expire at the end of the session. Cookie theft could grant full administrative control to unauthorized remote attackers. * Any content created in NanoCMS may contain arbitrary PHP code. This could enable anyone with the ability to create content to run arbitrary commands with the privileges of the web server. For instance, creating a new page that contained the content '<?php system("cat /etc/passwd");?>' would create a new page that contained as it's body the listings of the system password file. The combination of these vulnerabilities could allow a remote attacker to enumerate the administrative username, crack the associated password, log into the administrative back end of the NanoCMS, and create a PHP interface to take control of the web server process. This would include the ability to read and write files on the system. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSeOoXJEpbGy7DdYAAQLpJgcAsRYrIbzocv8JgJyKonkEvJiV7U6X6WVT yA47EvPaI8NPK69/Y6iIQ4LfxuH68DJLflNBc8Kl3GhIt8apNoaVZBt5JPJSaUCO xohoM6Q1j7hSGegU2TD7kumNbJbf9YSsIm6qYNpKAaxiu+KpAibUMgXVmezYAbAZ +Ek0ZRlXoI/7NKOnr1cAD7ykg7p3uc6aneIfQI4sATU8GfEOYrMVTwU0hNk60Hvg MhUPKIheIBWKghdDs8045fSqbauNx3DyseytmSLQonn1VClVVSO6O447hso8iIYY TqyE/DMrBWA= =umZW -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2009/Apr/0126.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top