LokiCMS admin.php文件绕过安全限制漏洞

BUGTRAQ ID: 29448 LokiCMS是一款简单易用的网络内容管理系统。 LokiCMS的admin.php文件中存在逻辑错误，如果远程攻击者在所提交的HTTP POST请求中设置了LokiACTION和其他参数的话，则无需管理权限就可以设置CMS main settings。 以下是有漏洞的代码段： # admin.php Lines:24-42 if ( isset ( $_POST ) &amp;&amp; isset ( $_POST['LokiACTION'] ) &amp;&amp; strlen ( trim ( $_POST['LokiACTION'] ) ) &gt; 0 ) { // we have an action to do switch ( trim ( $_POST['LokiACTION'] ) ) { case 'A_LOGOUT': // Logout unset($_SESSION[PATH]); break; case 'A_LOGIN': // Login if ( isset ( $_POST['login'] ) &amp;&amp; sha1 ( $_POST['login'] ) == $c_password ) $_SESSION[PATH] = 'logged in lokicms030'; break; case 'A_SAVE_G_SETTINGS': //save main settings writeconfig ( $c_password, $_POST['title'], $_POST['header'], $_POST['tagline'], $_POST['footnote'], $c_default, $_POST['theme'], $_POST['language'], $_POST['modrewrite'], $_POST['simplelink'], $_POST['code'] ); $c_theme = $_POST['theme']; include PATH . '/includes/Config.php'; include PATH . '/languages/' . $c_lang . '.lang.php'; $msg = $lang ['admin'] ['expressionSettingsSaved']; break; # includes/Functions.php Lines:163-200 function writeconfig ( $c_password, $c_title, $c_header, $c_tagline, $c_footnote, $c_default, $c_theme, $c_lang, $c_modrewrite, $c_simplelink, $c_code ) { . . . $config = '&lt;?php ' . LINEBREAK; $config .= '// LokiCMS Config file, You can change settings in this file or via admin.php ' . LINEBREAK; $config .= '$c_password = \'' . $c_password . '\'; ' . LINEBREAK; $config .= '$c_title = \'' . $c_title . '\'; ' . LINEBREAK; $config .= '$c_header = \'' . $c_header . '\'; ' . LINEBREAK; $config .= '$c_tagline = \'' . $c_tagline . '\'; ' . LINEBREAK; $config .= '$c_footnote = \'' . $c_footnote . '\'; ' . LINEBREAK; $config .= '$c_default = \'' . $c_default . '\'; ' . LINEBREAK; $config .= '$c_theme = \'' . $c_theme . '\'; ' . LINEBREAK; $config .= '$c_lang = \'' . $c_lang . '\'; ' . LINEBREAK; $config .= '$c_modrewrite = ' . $c_modrewrite . '; ' . LINEBREAK; $config .= '$c_simplelink = ' . $c_simplelink . '; ' . LINEBREAK; $config .= '$c_code = ' . $c_code . '; ' . LINEBREAK; $config .= '?&gt;'; $handle = fopen ( 'includes/Config.php', 'w' ); fwrite ( $handle, $config ); fclose ( $handle ); } LokiCMS 0.3.4 LokiCMS ------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： <a href=http://www.lokicms.com/ target=_blank>http://www.lokicms.com/</a>