#######################################################################################
# Title: LokiCMS Multiple Vulnerabilities through Authorization weakness
# Vendor: http://www.lokicms.com
# Bugs: Arbitrary File Overwrite,Code Injection,File Inclusion,Retrieve Admin's Hash
# Vulnerable Version: LokiCMS 0.3.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Impact: Very High
# Fix: N/A
#######################################################################################

####################
- Description:
####################

LokiCMS is a content management system that is designed to be simple and clear.
Most cms systems are way to complicated if you just want to make a small mostly static site,
LokiCMS allows you to make a simple site with a few clicks.


####################
- Vulnerability:
####################
Its possible for a remote attacker to set "CMS main settings" without admin privileges.
There is a logical weakness in "admin.php" which could result in multiple vulnerabilitis 
simply by set "LokiACTION" and desired parameters via http POST method. 


####################
- Code Snippet:
####################

# admin.php Lines:24-42
if ( isset ( $_POST ) && isset ( $_POST['LokiACTION'] ) && strlen ( trim ( $_POST['LokiACTION'] )
) > 0 ) {
	// we have an action to do
	switch ( trim ( $_POST['LokiACTION'] ) ) {
		case 'A_LOGOUT': // Logout
			unset($_SESSION[PATH]);
			break;
		
		case 'A_LOGIN': // Login
			if ( isset ( $_POST['login'] ) && sha1 ( $_POST['login'] ) == $c_password )
				$_SESSION[PATH] = 'logged in lokicms030';
			break;
		
		case 'A_SAVE_G_SETTINGS': //save main settings
			writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'],
$_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'],
$_POST['simplelink'], $_POST['code'] );
  			$c_theme = $_POST['theme'];
			include PATH . '/includes/Config.php';
			include PATH . '/languages/' . $c_lang . '.lang.php';
			$msg = $lang ['admin'] ['expressionSettingsSaved'];
			break;

# includes/Functions.php Lines:163-200
function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default,
$c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code )
{
	.
	.
	.	
	$config  = '<?php ' . LINEBREAK;
	$config .= '// LokiCMS Config file, You can change settings in this file or via admin.php ' .
LINEBREAK;
	$config .= '$c_password    = \'' . $c_password   . '\'; ' . LINEBREAK;
	$config .= '$c_title       = \'' . $c_title      . '\'; ' . LINEBREAK;
	$config .= '$c_header      = \'' . $c_header     . '\'; ' . LINEBREAK;
	$config .= '$c_tagline     = \'' . $c_tagline    . '\'; ' . LINEBREAK;
	$config .= '$c_footnote    = \'' . $c_footnote   . '\'; ' . LINEBREAK;
	$config .= '$c_default     = \'' . $c_default    . '\'; ' . LINEBREAK;
	$config .= '$c_theme       = \'' . $c_theme      . '\'; ' . LINEBREAK;
	$config .= '$c_lang        = \'' . $c_lang       . '\'; ' . LINEBREAK;
	$config .= '$c_modrewrite  = '   . $c_modrewrite . '; ' . LINEBREAK;
	$config .= '$c_simplelink  = '   . $c_simplelink . '; ' . LINEBREAK;
	$config .= '$c_code        = '   . $c_code       . '; ' . LINEBREAK;
	$config .= '?>';
	
	$handle = fopen ( 'includes/Config.php', 'w' );
	fwrite ( $handle, $config );
	fclose ( $handle );
}

####################
- Exploit :
####################
Im not going to release an exploit for this issue because of possible severe damages.

####################
- Solution :
####################
There is no solution at the time of this entry.

####################
- Credit :
####################
Discovered by: trueend5 (trueend5 [at] yahoo com)

This advisory is sponsored by FarsiList:
http://www.farsilist.ir
A Persian Web Based Electronic Maling-List Management System