Security Review of NanoCMS

30 November -0001

Version tested: 0.4_final

NanoCMS (http://nanocms.in) is a PHP based Content Management System (CMS). "Nano CMS is the tiniest CMS you can find around. The user interface and the functionality are very very simple and extremely easy to use. The core feature of NanoCMS is that it is filebased and does not use any database at all, which makes it super easy to install - just extract and that's it." A brief security evaluation of NanoCMS version 0.4 final revealed a number of notable security vulnerabilities that could allow remote attackers to take complete control of the web server process serving NanoCMS.

  • NanoCMS utilizes default administrative credentials (admin/demo) which can be used to access the administrative portion of the site at /data/nanoadmin.php.
  • In a default installation the URL to the administrative portion of the CMS is displayed at /index.php?page=how-to-install along with the default username and password to access the administrative back end.
  • NanoCMS installation suggest full read/write permissions (user, group, and other) for the /data/pages and /data/areas directories as well as the data/pagesdata.txt files. This is especially dangerous as the data/pagesdata.txt contains configuration information including administrative username and password hash.
  • Semicolon separated, serialized settings variables are stored in a plain text file accessible via the web interface at /data/pagesdata.txt. These variables include:
    
    s:8:"username";s:5:"admin";
    s:8:"password";s:32:"fe01ce2a7fbac8fafaed7c982a04e229";
    
    This allows for administrative account enumeration. Although the password value is stored as an MD5 hash, its availability allows for as offline hash cracking.
  • Version enumeration is possible by viewing the plain text configuration page at /data/pagesdata.txt. The serialized variable "version" displays this information in the form:
    s:7:"version";s:4:"v_4f";
    
  • Page title field when creating or editing content is vulnerable to arbitrary script injection (cross site scripting). For instance, if a new page is created with the title "<script>alert('title');</script>" a JavaScript alert is displayed on every page the content title is listed. This arbitrary script is displayed in multiple areas of the administrative back end (editing or listing content) exposing site administrators to XSS attacks, as well as via the front end, exposing all site users.
  • The website name, website slogan, below navigation and copyright notice areas controlled in the NanoCMS admin panel on the "Content Areas" page (data/nanoadmin.php?action=showareas) are all vulnerable to arbitrary HTML, JavaScript and PHP code injection. Each of these areas are rendered as flat files with PHP extensions (for instance in data/areas/website name.php) causing the web server to parse any PHP code contained on these pages when the NanoCMS powered web site is displayed. For instance, if the "website name" value is changed from the default "NanoCMS v0.4" to "NanoCMS v0.4 " the site's PHP configuration information will be displayed on the site.
  • No protection is provided in administrative forms to prevent against Cross Site Request Forgery (CSRF) attacks. If a logged in administrator was to visit a page that contained a hidden form post to the settings URL (data/nanoadmin.php?action=settings) that contained the POST variables "save", "username" and "password" the administrative username and password would be silently updated as the admin user is not required to provide the existing password and no tokens are present to prevent the attack.
  • Administrative access is controled via the PHP session variable NANO_CMS_ADMIN_LOGGED. NanoCMS passes session information via plain-text cookies set to expire at the end of the session. Cookie theft could grant full administrative control to unauthorized remote attackers.
  • Any content created in NanoCMS may contain arbitrary PHP code. This could enable anyone with the ability to create content to run arbitrary commands with the privileges of the web server. For instance, creating a new page that contained the content '' would create a new page that contained as its body the listings of the system password file.

The combination of these vulnerabilities could allow a remote attacker to enumerate the administrative username, crack the associated password, log into the administrative back end of the NanoCMS, and create a PHP interface to take control of the web server process. This would include the ability to read and write files on the system.