JAKCMS - Content Management System (CMS) PHP, MySQL and HTML
Security Flaw (Image/Filemanager)
Priority: 5 Status: Closed Resolution: Yes
Description:
I've found some critical bugs into /js/editor/plugins/jakadminexplorer (also jakadminimage, jakusrexplorer and jakusrimage are vulnerable).
The authentication schema could be bypassed into /php/session.php, this is the vulnerable code:
if ($SESSION["check_session_variable"] != "") {
// Session Starten
session_start();
// Session-Variable überprüfen
if (!isset($_SESSION[$SESSION["check_session_variable"]])) {
include("error.php");
die;
}
}
An attacker might be able to start a session accessing to /index.php that set for e.g. the "jak_lastURL" session variable, than could set $SESSION["check_session_variable"] to bypass this trivial auth schema.
In this way an unauthenticated user have access to "Explorer" and "Image Manager" plugins and could be "delete", "create", "rename" any folder/file into webserver or upload arbitray files.
Cross Site Scripting Flaw
(2) Visitor Comments
Login
Categories
Newsletter Sign Up
Tags
Advertise
What's going on?
Jerome Posted: 16.09.2011 : 08:33 PM
Thank you very much for the report, I will check it and publish a fix asap if necessary...
Jerome Posted: 16.09.2011 : 09:16 PM
Ok I reuploaded the 2.2.6 package with a fix, more details follow soon!
The file will now check if you can have access with no session and if not it will die()!
Thanks again for the report!
If you installed 2.2.6 already, download the package again and replace the whole js/editor/plugins folder with the new content!