SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   holaCMS Vendors:   holaCMS Team
holaCMS Discloses Administrator Password to Remote Users
SecurityTracker Alert ID:  1007497
SecurityTracker URL:  http://securitytracker.com/id/1007497
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 14 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Modification of authentication information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.2.9-10 and prior versions
Description:   A vulnerability was reported in holaCMS. A remote user can obtain the administrator's password.

It is reported that the 'htmltags.php' script does not require authentication. A remote user can invoke this script and include the password file. This allows a remote user to view the administrator's password or edit arbitrary passwords.

A demonstration exploit URL is provided:

http://[target]/path_of_hola/admin/cms/htmltags.php?datei=./sec/data.php

The vendor has reportedly been notified.

Impact:   A remote user can edit the password file or view the administrator's password.
Solution:   No solution was available at the time of this entry.

The author of the report has provided a workaround [described in the Source Message].

Vendor URL:  holacms.drunkencat.net/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Virginity Security Advisory 2003-001 : Hola CMS - Admin Password




- - - --------------------------------------------------------------------
Virginity Security Advisory 2003-001
- - - --------------------------------------------------------------------
             DATE : 2003-08-13 03:11 GMT
             TYPE : remote
VERSIONS AFFECTED : <== hola-cms-1.2.9-10 (http://holacms.drunkencat.net/)
           AUTHOR : Virginity
- - - --------------------------------------------------------------------


Description:

I found a security bug in Hola CMS with which you can get the admin 
password.
The bug is in the htmltags.php - the file was written to edit an internal 
file.
The Problem is htmltags.php doesn't check if you are
logged in as administrator so you can include the unprotected passwordfile
and htmltags.php shows the password file which you can edit freely or just
steal the password to gain possible acces to the whole server.

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:
http://www.targetexample.com/path_of_hola/admin/cms/htmltags.php?
datei=./sec/data.php

shows you the username and password of the administrator!


- - - --------------------------------------------------------------------


Solution:

Put the following code at the beginning of htmltags.php

<?
 include_once('./sec/data.php');
 include_once('./sec/auth.php');
?>


- - - --------------------------------------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC