Security Review of NanoCMS
Version tested: 0.4_final
NanoCMS (http://nanocms.in) is a PHP based Content Management System (CMS). "Nano CMS is the tiniest CMS you can find around. The user interface and the functionality are very very simple and extremely easy to use. The core feature of NanoCMS is that it is filebased and does not use any database at all, which makes it super easy to install - just extract and that's it." A brief security evaluation of NanoCMS version 0.4 final revealed a number of notable security vulnerabilities that could allow remote attackers to take complete control of the web server process serving NanoCMS.
- NanoCMS utilizes default administrative credentials (admin/demo) which can be used to access the administrative portion of the site at /data/nanoadmin.php.
- In a default installation the URL to the administrative portion of the CMS is displayed at /index.php?page=how-to-install along with the default username and password to access the administrative back end.
- NanoCMS installation suggest full read/write permissions (user, group, and other) for the /data/pages and /data/areas directories as well as the data/pagesdata.txt files. This is especially dangerous as the data/pagesdata.txt contains configuration information including administrative username and password hash.
- Semicolon separated, serialized settings variables are stored in a plain text file accessible via the web interface at /data/pagesdata.txt. These variables include:
s:8:"username";s:5:"admin"; s:8:"password";s:32:"fe01ce2a7fbac8fafaed7c982a04e229";This allows for administrative account enumeration. Although the password value is stored as an MD5 hash, its availability allows for as offline hash cracking.
- Version enumeration is possible by viewing the plain text configuration page at /data/pagesdata.txt. The serialized variable "version" displays this information in the form:
- No protection is provided in administrative forms to prevent against Cross Site Request Forgery (CSRF) attacks. If a logged in administrator was to visit a page that contained a hidden form post to the settings URL (data/nanoadmin.php?action=settings) that contained the POST variables "save", "username" and "password" the administrative username and password would be silently updated as the admin user is not required to provide the existing password and no tokens are present to prevent the attack.
- Administrative access is controled via the PHP session variable NANO_CMS_ADMIN_LOGGED. NanoCMS passes session information via plain-text cookies set to expire at the end of the session. Cookie theft could grant full administrative control to unauthorized remote attackers.
- Any content created in NanoCMS may contain arbitrary PHP code. This could enable anyone with the ability to create content to run arbitrary commands with the privileges of the web server. For instance, creating a new page that contained the content '' would create a new page that contained as its body the listings of the system password file.
The combination of these vulnerabilities could allow a remote attacker to enumerate the administrative username, crack the associated password, log into the administrative back end of the NanoCMS, and create a PHP interface to take control of the web server process. This would include the ability to read and write files on the system.