[VIM] [fwd] [Full-disclosure] SmartSiteCMS v1.0 authentication bypass -- Source Verification/Correction + more vulns

Sullo sullo at cirt.net
Fri Sep 29 07:55:39 EDT 2006 

Confirmed... sorta. i don't see an admin.php in v1, but these files in
admin/ have the same issue--just checks for the existence of the login
cookie.
 admin/artadmin.php
 admin/artedit.php
 admin/siteadmin.php
 admin/catadmin.php
 admin/catedit.php

This one has no auth code at all and allows download of a db backup:
 admin/backup.php

Also, any place SQL is used looks like it's prone to sql injection. This
particular one also has XSS (not a result of SQL errors)... (not sure
the real risk from sql injection in against() as I haven't seen that
before, but this is just an example of a few I saw):
 search.php
     $searchString = $_POST['searchString'];
     [snip]
    <input type="text" class="adminInput" style="width: 250px"
name="searchString" value="<? echo $searchString ?>">
     [snip]
     $result = mysql_query("select itemName, match(itemName, itemBody,
itemDesc) against('$searchString') as relevance from item where
match(itemName, itemBody, itemDesc) against('$searchString')",$db);

Here is the CVS archive... almost every file has SQL injection or XSS
type issues... maybe someone already at work can look at the rest!
    http://smartsite.cvs.sourceforge.net/smartsite/cms/


-Sullo

-- 

http://www.cirt.net/      |     http://www.osvdb.org/






*From:* Paulino Calderon (/nahsuckea.com/)
*Date:* Wed Aug 09 2006 - 00:10:11 CDT

    * *Messages sorted by:* [ date ]
      <http://archives.neohapsis.com/archives/fulldisclosure/2006-08/index.html#229>
      [ thread ]
      <http://archives.neohapsis.com/archives/fulldisclosure/2006-08/thread.html#229>
      [ subject ]
      <http://archives.neohapsis.com/archives/fulldisclosure/2006-08/subject.html#229>
      [ author ]
      <http://archives.neohapsis.com/archives/fulldisclosure/2006-08/author.html#229>


------------------------------------------------------------------------

SmartSiteCMS v1.0 authentication bypass

STATUS: I contacted the vendor more than 2 months ago and still no
response.

TECHNICAL INFO
================================================================
One of the worst cms I've ever seen regarding security, no input sanitation
at all. Bypassing authentication just requires to create a cookie named
"userName"

Vulnerable code:
admin.php line 43
--------------------------------
<?php
if (isset($_COOKIE['userName']))
{
--------------------------------

VULNERABLE VERSIONS
---------------------------------------------------------------
Ive only tested v1.0

---------------------------------------------------------------
Contact information
:Paulino Calderon
:nahsuckea.com
:http://nah.suckea.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

More information about the VIM mailing list