-------------------------------------------------------------------------------------------- 20100625 - Justanotherhacker.com : Multiple vulnerabilities in maiacms JAHx103 - http://www.justanotherhacker.com/advisories/JAHx103.txt -------------------------------------------------------------------------------------------- MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone. [ Taken from: http://maiacms.sourceforge.net/ ] --- Vulnerability description --- Multiple vulnerabilities exist in maiacms, here are some of them. Discovered by: Eldar "Wireghoul" Marcussen Severity: Low Release: Full disclosure Affected versions: 0.1 --- SQL injection --- The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection. PoC: /index.php?page=1' or 'a'='a --- Local file inclusion --- The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion. PoC: /admin/index.php?com=../../../../../../../../etc/passwd%00 --- Authentication bypass --- Most of the admin pages has a check and redirect to login snippet to validate login: list_pages.php:1: $value) { update_session.php:9: $_SESSION[$key] = $value; update_session.php:10:} update_session.php:11: update_session.php:12:$db->Close(); update_session.php:13:?> --- Solution --- Wait for the next or non alpha release --- Disclosure time line --- 25-Jun-2010 - Public disclosure 25-Jun-2010 - Vendor notified through email 25-Jun-2010 - Vendor response