Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-1378.htm

LucidCMS multiple vulns



Multiple Vulnerabilities in LucidCMS
Multiple Vulnerabilities in LucidCMS



Multiple Vulnerabilities in LucidCMS

 Author   : Rusydi Hasan M
 a.k.a    : cR45H3R
 Date     : April,1st 2006
 Location : Indonesia, Cilacap

--- Software description

 lucidCMS is a simple and flexible content management system for
 the individual or organization that wishes to manage a collection
 of web pages without the overhead and complexity of other available
 open source "community" CMS options.

HOME : http://lucidCMS.net 
 Version : 2.0.0 RC4

--- The bugs

 There's 2 bugs.XSS and full path disclosures

--- PoC


1. XSS a.k.a Cross site scripting

   How the Proof of concepts ?

http://[victim]/[lucidcms_dir]/index.php?command=login'>[XSS_here] 
http://[victim]/[lucidcms_dir]/index.php?i18n=cs_CZ&command=panel'>[XSS_here] 
http://[victim]/[lucidcms_dir]/index.php?i18n=en_US&command=panel'>[XSS_here] 

   example :

  
http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'> 

http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'>

Bla bla bla

http://127.0.0.1/lucidcms/index.php?command=login'> http://127.0.0.1/lucidcms/index.php?i18n=cs_CZ&command=panel'>

stooopidz

2. Full path disclosures in /lucid_phplib/translator.php http://[victim]/[lucidcms_dir]/lucid_phplib/translator.php Warning: opendir(DIR_LANG): failed to open dir: No such file or directory in /var/www/html/lucidcms/lucid_phplib/translator.php on line 45 Warning: readdir(): supplied argument is not a valid Directory resource in /var/www/html/lucidcms/lucid_phplib/translator.php on line 46 Where's the problem ??? function get_languages(){ $langs = array(); $dir = opendir(DIR_LANG); <-- This is the trouble while($name = readdir($dir)) { <-- and this too if ($name == '.' || $name== '..') continue; $langFile = DIR_LANG.$name.'/LC_MESSAGES/'.CONFIG_DOMAIN.'.mo'; if (file_exists($langFile)) { // $GLOBALS['echoLater'][] = $langFile; //troublshooting... $langs[] = $name; } } return $langs; }//get_languages --- vendor I'm too lazy :D . --- shoutz 1. kecoak (fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc) 2. echo staff (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous, the day) 3. ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,negative,sakitjiwa --- contact crasher@kecoak.or.id


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH