[Full-disclosure] Frog CMS Multiple Vulnerabilities
Justin C. Klein Keane
justin at madirish.net
Thu Mar 26 12:30:11 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Security Evaluation of Frog CMS
Version tested: 0.9.4
by Justin C. Klein Keane <justin at madirish.net>
This advisory is also posted at
Frog CMS (http://www.madebyfrog.com/) is a lightweight content
management system written in PHP that supports several back-end
databases (including MySQL). "Frog CMS simplifies content management by
offering an elegant user interface, flexible templating per page, simple
user management and permissions, as well as the tools necessary for file
Frog CMS uses a robust, object oriented PHP codebase that eliminates
many of the most common web application vulnerabilities found in PHP.
Frog CMS does, however, have some deficiencies that should be cause for
concern. The following are issues identified during a short code audit
of the application:
* Frog CMS encourages the use of root user MySQL connection by
defaulting to that user and leaving the "Database password" field blank
in the installation script.
* Frog CMS requires config.php and the public/ directory to be Apache
writable. This exposes these files to modification by the web server
process. This is especially dangerous because the PHP constant
TABLE_PREFIX is defined in config.php and is not sanitized when used in
SQL queries throughout the application, which exposes the possibility of
* Frog CMS utilizes a default administration username and password
* Frog CMS allows enumeration of user e-mail accounts using the "Forgot
password" functionality (admin/?/login/forgot) which will return a "No
user found!" error if no e-mail address is registered.
* Frog CMS users with rights to create content can inject arbitrary
content in page headers by manipulating the keywords and descriptions
field. For instance, entering:
article is viewed (or edited). This vector could be used to attack the
* Frog CMS administrative back end screens are vulnerable to cross site
request forgery (http://en.wikipedia.org/wiki/CSRF). This means that
users who are logged in to Frog's website are vulnerable to other sites
carrying out form posts or other manipulation using credentials already
supplied to Frog by the user.
* PHP tags in content are interpreted when pages are requested via Frog
CMS. This allows for arbitrary PHP injection in content.
* By design Frog CMS's file manager in the administrative interface
allows for the upload of arbitrary files.
* The Frog CMS file manager plugin allows for the reading of arbitrary
system files, for instance, a user with file manager privileges browsing
exposes the system passwd file.
* Frog CMS utilizes a non-standard naming convention for it's htaccess
file (_.htaccess) which allows this file to be viewed under most
* Frog CMS contains a 'changelog.txt' file in the root directory which
can be used for version enumeration.
Justin C. Klein Keane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.