Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bx3370.htm

LokiCMS Multiple Vulnerabilities through Authorization weakness



LokiCMS Multiple Vulnerabilities through Authorization weakness
LokiCMS Multiple Vulnerabilities through Authorization weakness



#######################################################################################
# Title: LokiCMS Multiple Vulnerabilities through Authorization weakness
# Vendor: http://www.lokicms.com 
# Bugs: Arbitrary File Overwrite,Code Injection,File Inclusion,Retrieve Admin's Hash
# Vulnerable Version: LokiCMS 0.3.4 (prior versions also may be affected)
# Exploitation: Remote with browser
# Impact: Very High
# Fix: N/A
#######################################################################################

####################
- Description:
####################

LokiCMS is a content management system that is designed to be simple and clear.
Most cms systems are way to complicated if you just want to make a small mostly static site,
LokiCMS allows you to make a simple site with a few clicks.


####################
- Vulnerability:
####################
Its possible for a remote attacker to set "CMS main settings" without admin privileges.
There is a logical weakness in "admin.php" which could result in multiple vulnerabilitis 
simply by set "LokiACTION" and desired parameters via http POST method. 


####################
- Code Snippet:
####################

# admin.php Lines:24-42
if ( isset ( $_POST ) && isset ( $_POST['LokiACTION'] ) && strlen ( trim ( $_POST['LokiACTION'] )
) > 0 ) {
	// we have an action to do
	switch ( trim ( $_POST['LokiACTION'] ) ) {
		case 'A_LOGOUT': // Logout
			unset($_SESSION[PATH]);
			break;
	=09
		case 'A_LOGIN': // Login
			if ( isset ( $_POST['login'] ) && sha1 ( $_POST['login'] ) == $c_password )
				$_SESSION[PATH] = 'logged in lokicms030';
			break;
	=09
		case 'A_SAVE_G_SETTINGS': //save main settings
			writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'],
$_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'],
$_POST['simplelink'], $_POST['code'] );
  			$c_theme = $_POST['theme'];
			include PATH . '/includes/Config.php';
			include PATH . '/languages/' . $c_lang . '.lang.php';
			$msg = $lang ['admin'] ['expressionSettingsSaved'];
			break;

# includes/Functions.php Lines:163-200
function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default,
$c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code )
{
	.
	.
	.=09
	$config  = '';
=09
	$handle = fopen ( 'includes/Config.php', 'w' );
	fwrite ( $handle, $config );
	fclose ( $handle );
}

####################
- Exploit :
####################
Im not going to release an exploit for this issue because of possible severe damages.

####################
- Solution :
####################
There is no solution at the time of this entry.

####################
- Credit :
####################
Discovered by: trueend5 (trueend5 [at] yahoo com)

This advisory is sponsored by FarsiList:
http://www.farsilist.ir 
A Persian Web Based Electronic Maling-List Management System



      


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH