Security Evaluation of Frog CMS

30 November -0001
Version tested: 0.9.4
by Justin C. Klein Keane <justin@madirish.net>

Frog CMS (http://www.madebyfrog.com/) is a lightweight content management system written in PHP that supports several back-end databases (including MySQL). "Frog CMS simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management."

Frog CMS uses a robust, object oriented PHP codebase that eliminates many of the most common web application vulnerabilities found in PHP. Frog CMS does, however, have some deficiencies that should be cause for concern. The following are issues identified during a short code audit of the application:

* Frog CMS encourages the use of root user MySQL connection by defaulting to that user and leaving the "Database password" field blank in the installation script. The use of the MySQL root user is a leading cause of application insecurity. If a SQL injection vulnerability exists they can exploit the privileges of the root user to read and write arbitrary filesystem files, load new MySQL dynamic modules, and otherwise compromise the server system account.

* Frog CMS requires config.php and the public/ directory to be Apache writable. This exposes these files to modification by the web server process. This is especially dangerous because the PHP constant TABLE_PREFIX is defined in config.php and is not sanitized when used in SQL queries throughout the application, which exposes the possibility of SQL injection. Write access exposes these files to modification if Frog CMS or any other web application is compromised.

* Frog CMS utilizes a default administration username and password (admin/password). Default authentication credentials are always a bad idea because many users will not change them. This allows internet attackers to scan for new or default installations and log in using the known credentials.

* Frog CMS allows enumeration of user e-mail accounts using the "Forgot password" functionality (admin/?/login/forgot) which will return a "No user found!" error if no e-mail address is registered. Error messages of this sort indicate the contents of the database by confirming the success or failure of guessing attacks.

* Frog CMS users with rights to create content can inject arbitrary content in page headers by manipulating the keywords and descriptions field. For instance, entering:

"/><script>alert('keyword');</script><script src="

for the keyword value will cause a JavaScript alert to show when the article is viewed (or edited). This vector could be used to attack the administrative account using carefully crafted cross site scripting (XSS) or cross site request forgery attacks.

* Frog CMS administrative back end screens are vulnerable to cross site request forgery (http://en.wikipedia.org/wiki/CSRF). This means that users who are logged in to Frog's website are vulnerable to other sites carrying out form posts or other manipulation using credentials already supplied to Frog by the user. Because Frog CMS doesn't use any time based tokens in any of the forms presented to administrative users attackers can steal sessions and submit forms as a logged in user from other sites, often invisibly.

* PHP tags in content are interpreted when pages are requested via Frog CMS. This allows for arbitrary PHP injection in content. Although this seems to be a design decision within Frog CMS it means that if an attacker compromised any user account that had the rights to create content they could trivially take control of the Apache server account using PHP.

* By design Frog CMS's file manager in the administrative interface allows for the upload of arbitrary files. File types and extensions should be checked in a CMS file upload system. There is no reason to allow users to upload arbitrary files, for instance compiled binaries. Allowing users to upload any type of file provides an easy vector for attackers to deliver local exploit binaries. Because Frog CMS provides areas that are by default writable to the Apache web service this vector is easily exploitable by an attacker who compromises an account with privileges to access the Frog CMS file manager.

* The Frog CMS file manager plugin allows for the reading of arbitrary system files, for instance, browsing the URL frog/admin/?/plugin/file_manager/view/../../../../../../../etc/passwd exposes the system passwd file. There isn't any reason from Frog CMS to allow users to explore outside of the root installation directory. By providing this functionality Frog CMS exposes all world or Apache readable files to disclosure through the Frog CMS file manager interface.

* Frog CMS utilizes a non-standard naming convention for it's htaccess file (_.htaccess) which allows this file to be viewed under most configurations.

* Frog CMS contains a 'changelog.txt' file in the root directory which can be used for version enumeration. Being able to quickly query installation versions allows an attacker to more quickly craft attacks or find vulnerabilities in a Frog CMS installation. This file is, by default, readable by any internet users. This type of information disclosure is unnecessary to end users and only serves to aid attackers.