Fixed in CMME v1.22 Severity: MODERATE Description: CMME is a PHP-based content manager. The application is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. Specifically, the issue affects the 'username' parameter in the 'admin.php' script. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Versions prior to CMME 1.22 are vulnerable.

Fixed in CMME v1.21

WwW.BugReport.ir  - AmnPardaz Security Research & Penetration Testing Group

Title: CMME Multiple Information disclosure vulnerabilities

Vendor: http://cmme.oesterholt.net

Bug: Information Disclosure

Vulnerable Version: 1.19 (prior versions also may be affected)

Exploitation: Remote with browser

Exploit: Available

Fix Available: No!

Description:

Quote from vendor: CMME means "Content Management Made Easy". It is a web content management system that is easy to use, doesn't have a lot of requirements and allows for reasonable flexibility.

Vulnerability:

There are multiple vulnerabilities in CMME , which can be exploited by malicious people to disclose potentially sensitive information. these can be exploited to read the contents of data files on the server via a specially crafted URL, without requiring a valid login.

+-->Users Information Disclosure (Including MD5 Hashes)
POC: http://example.com/cmme/data/admin/users
+-->Server Informaion (phpinfo)
POC: http://example.com/cmme/info.php
+-->The Last generated server backup
POC: http://example.com/cmme/backup/cmme_data.zip

Solution:

Restrict and grant only trusted users access to the resources.

Credit :

AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

Fixed in CMME v1.19  CMME Multiple Vulnerabilities
Secunia Advisory:	SA31599
Release Date:	2008-08-28
Popularity:­	819 views
Critical:	Moderately critical
Impact:	Cross Site Scripting Exposure of system information Exposure of sensitive information
Where:	From remote
Solution Status:	Unpatched ­
Software:	CMME 1.x

Description: SirGod has discovered some vulnerabilities and a security issue in CMME (Content Management Made Easy), which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.

1) Input passed to the "env" parameter in index.php is not properly sanitised before being used. This can be exploited to display arbitrary files via directory traversal attacks and URL-encoded NULL bytes. Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

2) The problem is that user credentials are stored in the "backup/cmme_data.zip" and "backup/cmme_cmme.zip" files inside the web root. This can be exploited to disclose usernames and password hashes. Successful exploitation of this vulnerability requires that the administrator has used the "Make a backup" functionality.

3) Input passed to the "page" and "year" parameters in statistics.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities and the security issue are confirmed in version 1.12. Other versions may also be affected.

Solution: Edit the source code to ensure that input is properly sanitised. Restrict access to the "backup" directory (e.g. with ".htaccess").