Archive for October 14th, 2010

Exponent CMS v0.97 Multiple Vulnerabilities

Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97

Summary: Open Source Content Management System (PHP+MySQL).

Desc: Exponent CMS suffers from multiple vulnerabilities:

#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
– “action”
– “expid”
– “ajax_action”
– “printerfriendly”
– “section”
– “module”
– “controller”
– “int”
– “src”
– “template”
– “page”
– “_common”

to the scripts:
– “index.php”
– “login_redirect.php”
– “mod_preview.php”
– “podcast.php”
– “popup.php”
– “rss.php”

is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
– “upload_fileuploadcontrol.php”
– “upload_standalone.php”
– “manifest.php”
– “delete.php”
– “edit.php”
– “manage.php”
– “rank_switch.php”
– “save.php”
– “view.php”
– “class.php”
– “deps.php”
– “delete_form.php”
– “delete_process.php”
– “search.php”
– “send_feedback.php”
– “viewday.php”
– “viewmonth.php”
– “viewweek.php”
– “testbot.php”
– “activate_bot.php”
– “deactivate_bot.php”
– “manage_bots.php”
– “run_bot.php”
– “class.php”
– “delete_board.php”
– “delete_post.php”
– “edit_board.php”
– “edit_post.php”
– “edit_rank.php”
– “monitor_all_boards.php”
– “monitor_board.php”
– “monitor_thread.php”
– “preview_post.php”
– “save_board.php”
– “save_post.php”
– “save_rank.php”
– “view_admin.php”
– “view_board.php”
– “view_rank.php”
– “view_thread.php”
– “banner_click.php”
– “ad_delete.php”
– “ad_edit.php”
– “ad_save.php”
– “af_delete.php”
– “af_edit.php”
– “af_save.php”
– “delete_article.php”
– “edit_article.php”
– “save_article.php”
– “save_submission.php”
– “submit_article.php”
– “view_article.php”
– “view_submissions.php”
– “coretasks.php”
– “htmlarea_tasks.php”
– “search_tasks.php”
– “clear_smarty_cache.php”
– “configuresite.php”
– “config_activate.php”
– “config_configuresite.php”
– “config_delete.php”
– “config_save.php”
– “examplecontent.php”
– “finish_install_extension.php”
– “gmgr_delete.php”
– “gmgr_editprofile.php”
– “gmgr_membership.php”
– “gmgr_savegroup.php”
– “gmgr_savemembers.php”

as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
– “u”
– “expid”
– “ajax_action”
– “ss”
– “sm”
– “url”
– “rss_url”
– “lang”
– “toolbar”
– “section”
– “section_name”
– “src”

in scripts:
– “slideshow.js.php”
– “picked_source.php”
– “magpie_debug.php”
– “magpie_simple.php”
– “magpie_slashbox.php”
– “test.php”
– “fcktoolbarconfig.js.php”
– “section_linked.php”
– “index.php”

is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Vulnerabilities discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Raw analysis (hi 5 John Leitch): Log_Exponent.txt (616 KB)