# Exploit Title: South Korean UTW CMS Multiple Vulnerabilities
# Date: 18.11.2010
# Author: Valentin
# Category: webapps/0day
# Version:

# Tested on:
# CVE :  
# Code : 


[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
>> General Information 
Advisory/Exploit Title = South Korean UTW CMS Multiple Vulnerabilities
Author = Valentin Hoebel
Contact = valentin@xenuser.org


[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = UTW CMS

This product is very often used by various companies from South Korea. Googling for
inurl:"utw_lib" shows some results, so does "utw_admin".
The product contains a message board feature, downloads management system and
several other community features.


[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
>> Local File Inclusion
Script: utw_lib/get_file.php
Parameters: file, rfile
Example: utw_lib/get_file.php?rfile=<local path>&file=<local file name>

The script get_file.php is vulnerable to local file inclusion attacks. Arbitrary
files can be viewed by combining the values for the rfile and file parameters.


>> Source Code Disclosure
With the help of the LFI vulnerability the source code of every local script can be
viewed.
Example: utw_lib/get_file.php?rfile=get_file.php
(Yes, using the rfile variable is correct here, although its purpose is to
store a path.)

This knowledge can also be used to view local configuration files.
Example: utw_lib/get_file.php?rfile=dbinfo.inc.php
The file dbinfo.inc.php contents the MySQL data, such as the host, database,
user and password in plain text.
With the help of this information it is possible to access the MySQL server.


>> Cross-Site Request Forgery
Every input field I saw did not filter out HTML or JavaScript code.
I did not check if there are also XSS flaws, but there is a high chance
that you are able to permanently inject code, e.g. in the message board threads.


>> Low Security Levels
Since the user data is stored in plain text (including email addresses and
passwords), the identities of the registered userscan be stolen easily by
accessing the MySQL database.

Another aspect of this low security level is that many users use similar
passwords for different services, e.g. often only one password for communities
and email service logins is used.
In this case all the user passwords and their email addresses can be dumped
from the database and be used for trying to login to their email accounts.

The admin panel can be accessed by adding /utw_admin to the URL.

The product contains also a feature which makes it possible to download
files, their download locations are stored in the database. An attack scenario
would be to change the file downloads, so the users of the affected
website download malicious content.


>> External Website Rendering
(Un)Fortunately this product is not affected by a RFI vulnerability, or at
least I was not able to detect one. But rendering external websites in the
context of the thrusted website is possible.
Example: tw_lib/get_file.php?rfile=http://www,google.com

This is not a real vulnerability, but can be used to abuse the thrust of the
visitors in the affected website.


[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
>> Additional Information
Advisory/Exploit Published = 18.11.2010


[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
>> Misc
Greetz = cr4wl3r, JosS, Todd and Josh from packetstormsecurity.org, exploit-db.com


[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]