Just Another Hacker
Author's avatar

Multiple vulnerabilities in maiacms

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone. [ Taken from: http://maiacms.sourceforge.net/ ]

Vulnerability description

Multiple vulnerabilities exist in maiacms, here are some of them.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Affected versions: 0.1

SQL injection

The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection. PoC:

/index.php?page=1' or 'a'='a

Local file inclusion

The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion. PoC:

/admin/index.php?com=../../../../../../../../etc/passwd%00

Authentication bypass

Most of the admin pages has a check and redirect to login snippet to validate login:

list_pages.php:1:<?php
            list_pages.php:2:   require ("../includes/connections.php"); //Includes functions and database connection
            list_pages.php:3:   
            list_pages.php:4:   if (empty($is_admin)) {
            list_pages.php:5:       header("Location: login.php");
            list_pages.php:6:   }

However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

PoC:

curl 'http://maiacms.sourceforge.net/admin/list_pages.php?id=1&category=1'

Session control

The script update_session.php relies on the the aforementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.

update_session.php:1:<?php
            update_session.php:2:require_once("../includes/connections.php");
            update_session.php:3:
            update_session.php:4:if (empty($is_admin)) {
            update_session.php:5:       header("Location: /admin/login.php");
            update_session.php:6:   }
            update_session.php:7:   
            update_session.php:8:foreach ($_POST as $key => $value) {
            update_session.php:9:   $_SESSION[$key] = $value;
            update_session.php:10:}
            update_session.php:11:
            update_session.php:12:$db->Close();
            update_session.php:13:?>

Solution

Wait for the next or non alpha release

Disclosure time line

  • 25-Jun-2010 - Public disclosure
  • 25-Jun-2010 - Vendor notified through email
  • 25-Jun-2010 - Vendor response

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!