LokiCMS是一款简单易用的网络内容管理系统。 LokiCMS的admin.php文件中存在逻辑错误,如果远程攻击者在所提交的HTTP POST请求中设置了LokiACTION和其他参数的话,则无需管理权限就可以设置CMS main settings。 以下是有漏洞的代码段: # admin.php Lines:24-42 if ( isset ( $_POST ) && isset ( $_POST[\'\'LokiACTION\'\'] ) && strlen ( trim ( $_POST[\'\'LokiACTION\'\'] ) ) >0 ) { // we have an action to do switch ( trim ( $_POST[\'\'LokiACTION\'\'] ) ) { case \'\'A_LOGOUT\'\': // Logout unset($_SESSION[PATH]); break; case \'\'A_LOGIN\'\': // Login if ( isset ( $_POST[\'\'login\'\'] ) && sha1 ( $_POST[\'\'login\'\'] ) == $c_password ) $_SESSION[PATH] = \'\'logged in lokicms030\'\'; break; case \'\'A_SAVE_G_SETTINGS\'\': //save main settings writeconfig ( $c_password, $_POST[\'\'title\'\'], $_POST[\'\'header\'\'], $_POST[\'\'tagline\'\'], $_POST[\'\'footnote\'\'], $c_default, $_POST[\'\'theme\'\'], $_POST[\'\'language\'\'], $_POST[\'\'modrewrite\'\'], $_POST[\'\'simplelink\'\'], $_POST[\'\'code\'\'] ); $c_theme = $_POST[\'\'theme\'\']; include PATH . \'\'/includes/Config.php\'\';...
LokiCMS是一款简单易用的网络内容管理系统。 LokiCMS的admin.php文件中存在逻辑错误,如果远程攻击者在所提交的HTTP POST请求中设置了LokiACTION和其他参数的话,则无需管理权限就可以设置CMS main settings。 以下是有漏洞的代码段: # admin.php Lines:24-42 if ( isset ( $_POST ) && isset ( $_POST[\'\'LokiACTION\'\'] ) && strlen ( trim ( $_POST[\'\'LokiACTION\'\'] ) ) >0 ) { // we have an action to do switch ( trim ( $_POST[\'\'LokiACTION\'\'] ) ) { case \'\'A_LOGOUT\'\': // Logout unset($_SESSION[PATH]); break; case \'\'A_LOGIN\'\': // Login if ( isset ( $_POST[\'\'login\'\'] ) && sha1 ( $_POST[\'\'login\'\'] ) == $c_password ) $_SESSION[PATH] = \'\'logged in lokicms030\'\'; break; case \'\'A_SAVE_G_SETTINGS\'\': //save main settings writeconfig ( $c_password, $_POST[\'\'title\'\'], $_POST[\'\'header\'\'], $_POST[\'\'tagline\'\'], $_POST[\'\'footnote\'\'], $c_default, $_POST[\'\'theme\'\'], $_POST[\'\'language\'\'], $_POST[\'\'modrewrite\'\'], $_POST[\'\'simplelink\'\'], $_POST[\'\'code\'\'] ); $c_theme = $_POST[\'\'theme\'\']; include PATH . \'\'/includes/Config.php\'\'; include PATH . \'\'/languages/\'\' . $c_lang . \'\'.lang.php\'\'; $msg = $lang [\'\'admin\'\'] [\'\'expressionSettingsSaved\'\']; break; # includes/Functions.php Lines:163-200 function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default, $c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code ) { . . $config = \'\'<?php \'\' . LINEBREAK; $config .= \'\'// LokiCMS Config file, You can change settings in this file or via admin.php \'\' . LINEBREAK; $config .= \'\'$c_password = \\'\'\'\' . $c_password . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_title = \\'\'\'\' . $c_title . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_header = \\'\'\'\' . $c_header . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_tagline = \\'\'\'\' . $c_tagline . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_footnote = \\'\'\'\' . $c_footnote . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_default = \\'\'\'\' . $c_default . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_theme = \\'\'\'\' . $c_theme . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_lang = \\'\'\'\' . $c_lang . \'\'\\'\'; \'\' . LINEBREAK; $config .= \'\'$c_modrewrite = \'\' . $c_modrewrite . \'\'; \'\' . LINEBREAK; $config .= \'\'$c_simplelink = \'\' . $c_simplelink . \'\'; \'\' . LINEBREAK; $config .= \'\'$c_code = \'\' . $c_code . \'\'; \'\' . LINEBREAK; $config .= \'\'?>\'\'; $handle = fopen ( \'\'includes/Config.php\'\', \'\'w\'\' ); fwrite ( $handle, $config ); fclose ( $handle ); }
