Webinsta CMS, unsafe?
Sunday, 3. September 2006, 17:30:48
Yesterday I got an e-mail from a person who wanted to know if the Webinsta CMS was secure or not, because he found a secunia advisory for the Webinsta CMS (not for Webinsta's Limbo CMS) and an exploit for that vulnerability.
After checking the links I noticed that, yes, somebody did find that vulnerability that can be found on any Webinsta CMS version prior 0.4.x.
I think I'll have to ask Ceasar to no longer host that old Webinsta CMS version and better redirect all the visitors to my website, where they can find the latest version of the Webinsta CMS, which is not vulnerable. Of course the latest version can always be found on the Webinsta CMS page of my website.
More information about the vulnerability:
The vulnerability is caused because of the operations that emulate the PHP's register_globals=on setting.
What happens when a vulnerable website is called with the title=some%20title query? This is what happens:
This means that ANY parameter being sent can be set as a global variable, even overriding the website configuration.
What does that means?
The website can be affected in many ways: changing the website title, loading modules, loading external scripts (if the server's configuration allows to open sockets).
Does this vulnerability can be used to login into the administration panel?
Yes and no, the vulnerability can be used to retrieve the admin username and password, or even more. But the vulnerability doesn't affect the admin login page because the script that makes sure the admin user and pass matches the one set in the config.php file doesn't load the code that introduces the vulnerability.
Everybody who has a Webinsta CMS website should upgrade to 0.4.x immediately.
How is it fixed on the latest Webinsta CMS version?
The code that emulates register_globals=on is no longer loaded on pages that doesn't require this special (and bad) PHP setting; meaning that it is only used in a few pages of the administration panel because the index.php no longer makes use of register_globals. This is just a small fix, because that code is not used on the in-development InWeb CMS (which is based on the Webinsta CMS).
After checking the links I noticed that, yes, somebody did find that vulnerability that can be found on any Webinsta CMS version prior 0.4.x.
I think I'll have to ask Ceasar to no longer host that old Webinsta CMS version and better redirect all the visitors to my website, where they can find the latest version of the Webinsta CMS, which is not vulnerable. Of course the latest version can always be found on the Webinsta CMS page of my website.
More information about the vulnerability:
The vulnerability is caused because of the operations that emulate the PHP's register_globals=on setting.
What happens when a vulnerable website is called with the title=some%20title query? This is what happens:
- HTTP request to index.php?title=some%20title
- index.php includes the configuration file (config.php) which contains the website title and some other information (including administrators' username and password).
- index.php includes code/globaldefs.php which emulates register_globals=on wether the server has register_globals set to on or off. On the emulation process, it doesn't verify what variables already exist, so it overrides the global variable $title by setting the content to "some title".
- continues the index.php script execution.
This means that ANY parameter being sent can be set as a global variable, even overriding the website configuration.
What does that means?
The website can be affected in many ways: changing the website title, loading modules, loading external scripts (if the server's configuration allows to open sockets).
Does this vulnerability can be used to login into the administration panel?
Yes and no, the vulnerability can be used to retrieve the admin username and password, or even more. But the vulnerability doesn't affect the admin login page because the script that makes sure the admin user and pass matches the one set in the config.php file doesn't load the code that introduces the vulnerability.
Everybody who has a Webinsta CMS website should upgrade to 0.4.x immediately.
How is it fixed on the latest Webinsta CMS version?
The code that emulates register_globals=on is no longer loaded on pages that doesn't require this special (and bad) PHP setting; meaning that it is only used in a few pages of the administration panel because the index.php no longer makes use of register_globals. This is just a small fix, because that code is not used on the in-development InWeb CMS (which is based on the Webinsta CMS).
Thanx for your fix and your continued progress in improving Webinsta CMS.
By anonymous user, # 18. November 2006, 16:25:55