Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Simple CMS

Re: Simple CMS

From: Volker Tanger <vtlists_at_wyae.de>
Date: Thu, 3 Aug 2006 11:58:45 +0200

On 2 Aug 2006 11:14:43 -0000
daaan_at_gmail.com wrote:

> The cms from http://www.cms-center.com/ uses no security at all, just
> a boolean "isloggedin". If you submit "loggedin=1" in the URL of any
> of the admin pages, you get full controll.
>
> Proof:
> 1. Google for "powered by php mysql simple cms"
> 2. type "admin/config_pages.php?loggedin=1" behind the url
> 3. Done. It works on every admin page that uses the so called
> auth.php.

*sigh*
Another one of those.

Solution:
Set PHP to register_globals = off

At a *very* brief glance at SimpleCMS it looks as if it should run with
register_globals = off as it's using $_GET and $_POST to access parameters.

Thus it is not even a SimpleCMS-induced bug (as in: requires that
setting) in the PHP configuration, but simply plain ignorance or
stupidity of the webserver admin.

Bye

Volker 

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists_at_wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
Received on Aug 03 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos