-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Evaluation of NanoCMS

April 14, 2009
Version tested: 0.4_final
by Justin C. Klein Keane <justin@madirish.net>

The text of this report is also available at
http://www.madirish.net/vulnerabilities/nanocms

NanoCMS (http://nanocms.in) is a PHP based Content Management System
(CMS).  "Nano CMS is the tiniest CMS you can find around. The user
interface and the functionality are very very simple and extremely easy
to use.  The core feature of NanoCMS is that it is filebased and does
not use any database at all, which makes it super easy to install - just
extract and that's it."  A brief security evaluation of NanoCMS version
0.4 final revealed a number of notable security vulnerabilities that
could allow remote attackers to take complete control of the web server
process serving NanoCMS.

* NanoCMS utilizes default administrative credentials (admin/demo) which
can be used to access the administrative portion of the site at
/data/nanoadmin.php.

* In a default installation the URL to the administrative portion of the
CMS is displayed at /index.php?page=how-to-install along with the
default username and password to access the administrative back end.

* NanoCMS installation suggest full read/write permissions (user, group,
and other (0777)) for the /data/pages and /data/areas directories as
well as the data/pagesdata.txt files.  This is especially dangerous as
the data/pagesdata.txt contains configuration information including
administrative username and password hash.

* Semicolon separated, serialized settings variables are stored in a
plain text file accessible via the web interface at /data/pagesdata.txt.
 These variables include:

s:8:"username";s:5:"admin";
s:8:"password";s:32:"fe01ce2a7fbac8fafaed7c982a04e229";

This allows for administrative account enumeration.  Although the
password value is stored as an MD5 hash, its availability allows for as
offline hash cracking.

*  Version enumeration is possible by viewing the plain text
configuration page at /data/pagesdata.txt.  The serialized variable
"version" displays this information in the form:

s:7:"version";s:4:"v_4f";

*  Page title field  when creating or editing content is vulnerable to
arbitrary script injection (cross site scripting).  For instance, if a
new page is created with the title "<script>alert('title');</script>" a
JavaScript alert is displayed on every page the content title is listed.
 This arbitrary script is displayed in multiple areas of the
administrative back end (editing or listing content) exposing site
administrators to XSS attacks, as well as via the front end, exposing
all site users.

*  The website name, website slogan, below navigation and copyright
notice areas controlled in the NanoCMS admin panel on the "Content
Areas" page (data/nanoadmin.php?action=showareas) are all vulnerable to
arbitrary HTML, JavaScript and PHP code injection.  Each of these areas
are rendered as flat files with PHP extensions (for instance in
data/areas/website name.php) causing the web server to parse any PHP
code contained on these pages when the NanoCMS powered web site is
displayed.  For instance, if the "website name" value is changed from
the default "NanoCMS v0.4" to "NanoCMS v0.4 <?php echo phpinfo();?>" the
site's PHP configuration information will be displayed on the site.

*  No protection is provided in administrative forms to prevent against
Cross Site Request Forgery (CSRF) attacks.  If a logged in administrator
was to visit a page that contained a hidden form post to the settings
URL (data/nanoadmin.php?action=settings) that contained the POST
variables "save", "username" and "password" the administrative username
and password would be silently updated as the admin user is not required
to provide the existing password and no tokens are present to prevent
the attack.

*  Administrative access is controled via the PHP session variable
NANO_CMS_ADMIN_LOGGED.  NanoCMS passes session information via
plain-text cookies set to expire at the end of the session.  Cookie
theft could grant full administrative control to unauthorized remote
attackers.

*  Any content created in NanoCMS may contain arbitrary PHP code.  This
could enable anyone with the ability to create content to run arbitrary
commands with the privileges of the web server.  For instance, creating
a new page that contained the content '<?php system("cat
/etc/passwd");?>' would create a new page that contained as it's body
the listings of the system password file.

The combination of these vulnerabilities could allow a remote attacker
to enumerate the administrative username, crack the associated password,
log into the administrative back end of the NanoCMS, and create a PHP
interface to take control of the web server process.  This would include
the ability to read and write files on the system.

- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSeOoXJEpbGy7DdYAAQLpJgcAsRYrIbzocv8JgJyKonkEvJiV7U6X6WVT
yA47EvPaI8NPK69/Y6iIQ4LfxuH68DJLflNBc8Kl3GhIt8apNoaVZBt5JPJSaUCO
xohoM6Q1j7hSGegU2TD7kumNbJbf9YSsIm6qYNpKAaxiu+KpAibUMgXVmezYAbAZ
+Ek0ZRlXoI/7NKOnr1cAD7ykg7p3uc6aneIfQI4sATU8GfEOYrMVTwU0hNk60Hvg
MhUPKIheIBWKghdDs8045fSqbauNx3DyseytmSLQonn1VClVVSO6O447hso8iIYY
TqyE/DMrBWA=
=umZW
-----END PGP SIGNATURE-----