###############################################################################
# Exploit Title: Flatstick CMS PHP Hash Collision Denial Of Service Vulnerability
# Google Dork: site:*.nz inurl:index.php?pageLoad= | "intext:Manage Your Own Website with Flatstick"
# Date: 22/02/2013
# Exploit Author: Zyklon B
# Vendor Homepage: http://www.flatout.co.nz/
# Software Link: http://www.flatout.co.nz/pages/flatstick-cms/
# Version: Only one version of this CMS exists.
# Tested on: Windows 7 x86
ADMIN ACCESS REQUIRED: NO
LEVEL RISK: HIGH
###############################################################################
Demo: http://demo.flatstick.co.nz/index.php
As there are no admin path, we can deduce that there is another panel valid for all customers, elsewhere.
Here it is: http://cms.flatstick.co.nz/admin/
-----------------------------------------------------------------------------
Flatstick CMS is suffering from several PHP and APACHE vulnerabilities, due to the fact that the updates were not performed. We'll only talk about this one, which can cause many damages:
-PHP version is 5.2.6, while actually, it should be higher than 5.3.9 to avoid PHP Hash Collision DOS vulnerability. This is the most critical PHP flaw
found in this CMS.
Note: By causing an error, we can know the PHP version. Example of use, go purposely to a page that does not exist. http://TARGET/pagewhichdoesntexist.php
--------------------------------------------------------------------------------------
View - screenshot of the vulnerability using Acunetix: http://i.imgur.com/4s7frmp.png
--------------------------------------------------------------------------------------
This vulneraiblity lies in the hashing algorithms used by a variety of programming languages, like PHP.
"PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table.
Because of the structure of the hash function, it is vulnerable to an equivalent substring attack. When collisions happens these algorithms will take up large amounts of CPU cycles to deal with them.
On an i7 core, the 60 seconds take a string of multi-collisions of about 500k. 30 seconds of CPU time can be generated using a string of about 300k. This means that an attacker needs about 70-100kbit/s
to keep one i7 core constantly busy. An attacker with a Gigabit connection can keep about 10.000 i7 cores busy."
What must be understood is that this technique is very efficient. More the internet connection of an attacker is good, more the website will be blocked for a long time.
The exploit code, in python, can be downloaded here: https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
You can run it under Windows x86/x64 as under Linux. Instructions are written as arguments in the source code.
*********************************************
Impact noted:
-The admin panel, valid for all customers (URL above), is vulnerable to the same attack. If this fails, the clients can no longer manage their websites properly.
*********************************************
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information