Monstra CMS 3.0.4 Unauthenticated User Credential Exposure

Whilst pratting around on hackthebox.eu, someone had uploaded a machine which used the Monstra CMS platform versions 3.0.4.

Getting a tad frustrated I downloaded the platform to look at the code directly. Unknowingly stumbling across the username “database” which is in fact an XML file. This file contains all user credential information including the password hashes, email addresses etc.

Upon enumerating further it would seem that most instances of this CMS online have this file publicly accessible. Meaning we can just browse to its location and see every user and their has.

Going further into the code, the hashes are salted MD5s. Damn… if there’s a salt cracking them becomes a more arduous task without knowing the salt used. But the installation file indicates that this salt remains unchanged from the default unless the user changes it beforehand.

This would imply that alot of installations would probably use the salt “YOUR_SALT_HERE” as indicated in the defines.php file

Line 63 of defines.php:

/**
 * Set password salt
 */
define('MONSTRA_PASSWORD_SALT', 'YOUR_SALT_HERE');

CVE-2018-11480 is now registered and submitted to Exploit-db.com for record.

<!--
# Exploit Title: Monstra CMS Unauthenticated User Credential Exposure
# Date: 25-05-2018
# Author: Dave Addison
# Contact: https://simpleinfosec.com
# Vendor Homepage: http://monstra.org/
# Software Link: http://monstra.org/download
# Version: 3.0.4
# CVE: CVE-2018-11480
A flaw exists in the installation of Monstra CMS 3.0.4 which allows the file http://sitename.com/storage/database/users.table.xml to be accessible to unauthenticated users.
This exposes the users name and email address alongside their password hash. The passwords are hashed with the following function within the security class in security.php.
public static function encryptPassword($password)    {        
return md5(md5(trim($password) . MONSTRA_PASSWORD_SALT));    } 

Unfortunatley the "MONSTRA_PASSWORD_SALT" defined variable isnt actually altered during installation... resulting in exposure of the salt hash

/** * Set password salt 
*/define('MONSTRA_PASSWORD_SALT', 'YOUR_SALT_HERE');

Mitigation:This is an end of life product and as such should be discontinued in use. Migrate your CMS to another up to dat and actively developed platform.
-->

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s