exploit the possibilities

SEC-20051107-0.txt

SEC-20051107-0.txt
Posted Nov 8, 2005
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20051107-0 - toendaCMS allows for theft of CMS usernames and passwords (XML database mode), session theft (XML database mode), directory traversal attacks (XML database mode), and arbitrary file uploads. Versions below 0.6.2 are affected.

tags | exploit, arbitrary, file upload
MD5 | 6844189f4d71a6ff5a7e18d4ca8b49b4

SEC-20051107-0.txt

Change Mirror Download
SEC-CONSULT Security Advisory 20051107-0
=============================================================================
title: toendaCMS multiple vulnerabilites
program: toendaCMS
vulnerable version: <0.6.2
homepage: www.toenda.com
found: 2005-10-25
by: Bernhard Mueller / SEC-CONSULT /
www.sec-consult.com
=============================================================================

Vendor description:
---------------

The toendaCMS Content Management and Weblogging tool gives you a modern,
professional publishing system, based on an SQL and/or XML database.


Vulnerabilty overview:
---------------

toendaCMS contains various security flaws. These include:

* theft of CMS usernames and passwords (XML database mode)
* session theft (XML database mode)
* directory traversal / reading of arbitrary files (XML database mode)
* arbitrary file uploads


Vulnerability details:
---------------

1) Account data is stored within the webroot (XML mode):

http://tcms.webserver.com/data/tcms_user/<random-val>.xml, where <random
val> is string composed of 5 bytes (e.g. 2ac336ff0d.xml). Each XML file
contains username (base64) and password (MD5) of a single user.

This is particularly dangerous if the webserver allows directory listing.


2) Session data is stored within the webroot:

http://tcms.webserver.com/engine/admin/<user-id>.xml (XML mode). The
session files are created once a user logs in to the CMS, so we just
have to monitor this directory to steal his credentials.

This is particularly dangerous if the webserver allows directory listing.


3) Directory Traversal / reading of arbitrary files (XML mode):

http://tcms.webserver.com/engine/admin/admin.php?id_user=
../../../../../../etc/passwd


4) Arbitrary file uploads:

Once we have gained access to the administrator interface, we can use
the gallery scripts to upload arbitrary files to:

http://tcms.webserver.com/data/images/albums/

No content-type or file validation checks are in place, so this is the
easiest way to get shell access.


Additional Remarks:
---------------

These flaws were found during a pentest, in an environment with
MAGIC_QUOTES_GPC activated. Please do NOT try to use toendaCMS without
MAGIC_QUOTES and other safeguards, unless you plan to run a honeypot or
have another particular reason for being very vulnerable.


Vendor status:
---------------
vendor notified: 2005-10-26
vendor response: 2005-10-30
patch available: 2005-11-01


The issues described in this advisory have been addressed in the latest
version of toendaCMS (0.6.2 stable). Download at:

http://www.toenda.com/de/data/files/Software/toendaCMS_Version_0.6.0_Stable/toendaCMS_0.6.2_Stable.zip


General remarks
---------------
We would like to apologize in advance for potential nonconformities
and/or known issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2005
bmu at sec-consult dot com
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    14 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close