-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Evaluation of Frog CMS

Version tested:  0.9.4
by Justin C. Klein Keane <justin@madirish.net>

This advisory is also posted at
http://www.madirish.net/vulnerabilities/frog-cms

Frog CMS (http://www.madebyfrog.com/) is a lightweight content
management system written in PHP that supports several back-end
databases (including MySQL).  "Frog CMS simplifies content management by
offering an elegant user interface, flexible templating per page, simple
user management and permissions, as well as the tools necessary for file
management."

Frog CMS uses a robust, object oriented PHP codebase that eliminates
many of the most common web application vulnerabilities found in PHP.
Frog CMS does, however, have some deficiencies that should be cause for
concern.  The following are issues identified during a short code audit
of the application:

*  Frog CMS encourages the use of root user MySQL connection by
defaulting to that user and leaving the "Database password" field blank
in the installation script.

*  Frog CMS requires config.php and the public/ directory to be Apache
writable.  This exposes these files to modification by the web server
process.  This is especially dangerous because the PHP constant
TABLE_PREFIX is defined in config.php and is not sanitized when used in
SQL queries throughout the application, which exposes the possibility of
SQL injection.

*  Frog CMS utilizes a default administration username and password
(admin/password)

*  Frog CMS allows enumeration of user e-mail accounts using the "Forgot
password" functionality (admin/?/login/forgot) which will return a "No
user found!" error if no e-mail address is registered.

*  Frog CMS users with rights to create content can inject arbitrary
content in page headers by manipulating the keywords and descriptions
field.  For instance, entering:

"/><script>alert('keyword');</script><script src="

for the keyword value will cause a JavaScript alert to show when the
article is viewed (or edited).  This vector could be used to attack the
administrative account.

*  Frog CMS administrative back end screens are vulnerable to cross site
request forgery (http://en.wikipedia.org/wiki/CSRF).  This means that
users who are logged in to Frog's website are vulnerable to other sites
carrying out form posts or other manipulation using credentials already
supplied to Frog by the user.

*  PHP tags in content are interpreted when pages are requested via Frog
CMS.  This allows for arbitrary PHP injection in content.

*  By design Frog CMS's file manager in the administrative interface
allows for the upload of arbitrary files.

*  The Frog CMS file manager plugin allows for the reading of arbitrary
system files, for instance, a user with file manager privileges browsing
the URL
frog/admin/?/plugin/file_manager/view/../../../../../../../etc/passwd
exposes the system passwd file.

*  Frog CMS utilizes a non-standard naming convention for it's htaccess
file (_.htaccess) which allows this file to be viewed under most
configurations.

*  Frog CMS contains a 'changelog.txt' file in the root directory which
can be used for version enumeration.

- --
Justin C. Klein Keane
http://www.MadIrish.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSct1U5EpbGy7DdYAAQJ2Rgb+MyLlpvKRMu02HkWlHzxOGfLJJhYb3b9P
Bo7nThIDJVzSslg04rPh7HsYGMMJkAAqWxbha+2l/eZCHtgwwp+S7HTT6F4zobqc
iVM5jyLkz3MNvBYQkXyuEcuJdwNm7eP4mgg1D7N5zuWmqAvUR0aVMaGUKgIhAG0w
gx8Hb0MywH6fOBTnVXMMOcFEG4+Lo9j9zegyqhFjZcT5BS8XN2SPIM1eqYMNUIO7
ZxcamoiO3m4v67thFJdotvkcgpNCaJD44etbCJm0WKGrn2nMZR+OVz3/HbL53G75
Ys0RoRydBXM=
=CPYx
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/