漏洞信息详情
LokiCMS 'admin.php'文件绕过安全限制漏洞
- CNNVD编号:CNNVD-200904-131
- 危害等级: 高危
- CVE编号: CVE-2008-6643
- 漏洞类型: 权限许可和访问控制
- 发布时间: 2008-05-31
- 威胁类型: 远程
- 更新时间: 2009-04-07
- 厂 商: lokiCMS
- 漏洞来源: alireza hassani
漏洞简介
LokiCMS是一款简单易用的网络内容管理系统。
LokiCMS的admin.php文件中存在逻辑错误,如果远程攻击者在所提交的HTTP POST请求中设置了LokiACTION和其他参数的话,则无需管理权限就可以设置CMS main settings。
以下是有漏洞的代码段:
# admin.php Lines:24-42
if ( isset ( $_POST ) && isset ( $_POST[\'\'LokiACTION\'\'] ) && strlen ( trim ( $_POST[\'\'LokiACTION\'\'] )
) >0 ) {
// we have an action to do
switch ( trim ( $_POST[\'\'LokiACTION\'\'] ) ) {
case \'\'A_LOGOUT\'\': // Logout
unset($_SESSION[PATH]);
break;
case \'\'A_LOGIN\'\': // Login
if ( isset ( $_POST[\'\'login\'\'] ) && sha1 ( $_POST[\'\'login\'\'] ) == $c_password )
$_SESSION[PATH] = \'\'logged in lokiCMS030\'\';
break;
case \'\'A_SAVE_G_SETTINGS\'\': //save main settings
writeconfig ( $c_password, $_POST[\'\'title\'\'], $_POST[\'\'header\'\'], $_POST[\'\'tagline\'\'],
$_POST[\'\'footnote\'\'], $c_default, $_POST[\'\'theme\'\'], $_POST[\'\'language\'\'], $_POST[\'\'modrewrite\'\'],
$_POST[\'\'simplelink\'\'], $_POST[\'\'code\'\'] );
$c_theme = $_POST[\'\'theme\'\'];
include PATH . \'\'/includes/Config.php\'\';
include PATH . \'\'/languages/\'\' . $c_lang . \'\'.lang.php\'\';
$msg = $lang [\'\'admin\'\'] [\'\'expressionSettingsSaved\'\'];
break;
# includes/functions.php Lines:163-200
function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default,
$c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code )
{ .
.
$config = \'\'<?php \'\' . LINEBREAK;
$config .= \'\'// LokiCMS Config file, You can change settings in this file or via admin.php \'\' .
LINEBREAK;
$config .= \'\'$c_password = \\'\'\'\' . $c_password . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_title = \\'\'\'\' . $c_title . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_header = \\'\'\'\' . $c_header . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_tagline = \\'\'\'\' . $c_tagline . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_footnote = \\'\'\'\' . $c_footnote . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_default = \\'\'\'\' . $c_default . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_theme = \\'\'\'\' . $c_theme . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_lang = \\'\'\'\' . $c_lang . \'\'\\'\'; \'\' . LINEBREAK;
$config .= \'\'$c_modrewrite = \'\' . $c_modrewrite . \'\'; \'\' . LINEBREAK;
$config .= \'\'$c_simplelink = \'\' . $c_simplelink . \'\'; \'\' . LINEBREAK;
$config .= \'\'$c_code = \'\' . $c_code . \'\'; \'\' . LINEBREAK;
$config .= \'\'?>\'\';
$handle = fopen ( \'\'includes/Config.php\'\', \'\'w\'\' );
fwrite ( $handle, $config );
fclose ( $handle );
}
漏洞公告
目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.lokiCMS.com
参考网址
来源: XF
名称: lokiCMS-admin-security-bypass(42766)
链接: http://xforce.iss.net/xforce/xfdb/42766
来源: BID
名称: 29448
链接: http://www.securityfocus.com/bid/29448
来源: BUGTRAQ
名称: 20080531 LokiCMS Multiple Vulnerabilities through Authorization weakness
链接: http://www.securityfocus.com/archive/1/archive/1/492877/100/0/threaded
来源: OSVDB
名称: 45866
链接: http://osvdb.org/45866
受影响实体
补丁
暂无
评论