Exponent CMS v0.97 Multiple Vulnerabilities
Title: Exponent CMS v0.97 Multiple Vulnerabilities
Advisory ID: ZSL-2010-4969
Type: Local/Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 14.10.2010
#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability
(1) LFI/FD occurs when input passed thru the params:
- "action"
- "expid"
- "ajax_action"
- "printerfriendly"
- "section"
- "module"
- "controller"
- "int"
- "src"
- "template"
- "page"
- "_common"
to the scripts:
- "index.php"
- "login_redirect.php"
- "mod_preview.php"
- "podcast.php"
- "popup.php"
- "rss.php"
is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
(2) AFU/E occurs due to an error in:
- "upload_fileuploadcontrol.php"
- "upload_standalone.php"
- "manifest.php"
- "delete.php"
- "edit.php"
- "manage.php"
- "rank_switch.php"
- "save.php"
- "view.php"
- "class.php"
- "deps.php"
- "delete_form.php"
- "delete_process.php"
- "search.php"
- "send_feedback.php"
- "viewday.php"
- "viewmonth.php"
- "viewweek.php"
- "testbot.php"
- "activate_bot.php"
- "deactivate_bot.php"
- "manage_bots.php"
- "run_bot.php"
- "class.php"
- "delete_board.php"
- "delete_post.php"
- "edit_board.php"
- "edit_post.php"
- "edit_rank.php"
- "monitor_all_boards.php"
- "monitor_board.php"
- "monitor_thread.php"
- "preview_post.php"
- "save_board.php"
- "save_post.php"
- "save_rank.php"
- "view_admin.php"
- "view_board.php"
- "view_rank.php"
- "view_thread.php"
- "banner_click.php"
- "ad_delete.php"
- "ad_edit.php"
- "ad_save.php"
- "af_delete.php"
- "af_edit.php"
- "af_save.php"
- "delete_article.php"
- "edit_article.php"
- "save_article.php"
- "save_submission.php"
- "submit_article.php"
- "view_article.php"
- "view_submissions.php"
- "coretasks.php"
- "htmlarea_tasks.php"
- "search_tasks.php"
- "clear_smarty_cache.php"
- "configuresite.php"
- "config_activate.php"
- "config_configuresite.php"
- "config_delete.php"
- "config_save.php"
- "examplecontent.php"
- "finish_install_extension.php"
- "gmgr_delete.php"
- "gmgr_editprofile.php"
- "gmgr_membership.php"
- "gmgr_savegroup.php"
- "gmgr_savemembers.php"
as it allows uploads of files with multiple extensions to a folder inside the web root. This can be exploited to execute arbitrary PHP code by uploading a specially crafted PHP script.
The uploaded files are stored in: [CMS_ROOT_HOST]\files
(3) XSS occurs when input passed to the params:
- "u"
- "expid"
- "ajax_action"
- "ss"
- "sm"
- "url"
- "rss_url"
- "lang"
- "toolbar"
- "section"
- "section_name"
- "src"
in scripts:
- "slideshow.js.php"
- "picked_source.php"
- "magpie_debug.php"
- "magpie_simple.php"
- "magpie_slashbox.php"
- "test.php"
- "fcktoolbarconfig.js.php"
- "section_linked.php"
- "index.php"
is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.
[2] http://www.exploit-db.com/exploits/15247/
[3] http://www.packetstormsecurity.org/filedesc/exponentcms-lfidisclosexss.txt.html
[4] http://xforce.iss.net/xforce/xfdb/62527
[5] http://xforce.iss.net/xforce/xfdb/62528
[6] http://www.securityfocus.com/bid/44095
[7] http://secunia.com/advisories/36703/
[8] http://www.qurizhao.com/Article/HTML/20101014164902.html
[15.10.2010] - Added reference [4], [5] and [6]
[18.10.2010] - Added reference [7]
[19.10.2010] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4969
Type: Local/Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 14.10.2010
Summary
Open Source Content Management System (PHP+MySQL).Description
Exponent CMS suffers from multiple vulnerabilities:#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability
(1) LFI/FD occurs when input passed thru the params:
- "action"
- "expid"
- "ajax_action"
- "printerfriendly"
- "section"
- "module"
- "controller"
- "int"
- "src"
- "template"
- "page"
- "_common"
to the scripts:
- "index.php"
- "login_redirect.php"
- "mod_preview.php"
- "podcast.php"
- "popup.php"
- "rss.php"
is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
(2) AFU/E occurs due to an error in:
- "upload_fileuploadcontrol.php"
- "upload_standalone.php"
- "manifest.php"
- "delete.php"
- "edit.php"
- "manage.php"
- "rank_switch.php"
- "save.php"
- "view.php"
- "class.php"
- "deps.php"
- "delete_form.php"
- "delete_process.php"
- "search.php"
- "send_feedback.php"
- "viewday.php"
- "viewmonth.php"
- "viewweek.php"
- "testbot.php"
- "activate_bot.php"
- "deactivate_bot.php"
- "manage_bots.php"
- "run_bot.php"
- "class.php"
- "delete_board.php"
- "delete_post.php"
- "edit_board.php"
- "edit_post.php"
- "edit_rank.php"
- "monitor_all_boards.php"
- "monitor_board.php"
- "monitor_thread.php"
- "preview_post.php"
- "save_board.php"
- "save_post.php"
- "save_rank.php"
- "view_admin.php"
- "view_board.php"
- "view_rank.php"
- "view_thread.php"
- "banner_click.php"
- "ad_delete.php"
- "ad_edit.php"
- "ad_save.php"
- "af_delete.php"
- "af_edit.php"
- "af_save.php"
- "delete_article.php"
- "edit_article.php"
- "save_article.php"
- "save_submission.php"
- "submit_article.php"
- "view_article.php"
- "view_submissions.php"
- "coretasks.php"
- "htmlarea_tasks.php"
- "search_tasks.php"
- "clear_smarty_cache.php"
- "configuresite.php"
- "config_activate.php"
- "config_configuresite.php"
- "config_delete.php"
- "config_save.php"
- "examplecontent.php"
- "finish_install_extension.php"
- "gmgr_delete.php"
- "gmgr_editprofile.php"
- "gmgr_membership.php"
- "gmgr_savegroup.php"
- "gmgr_savemembers.php"
as it allows uploads of files with multiple extensions to a folder inside the web root. This can be exploited to execute arbitrary PHP code by uploading a specially crafted PHP script.
The uploaded files are stored in: [CMS_ROOT_HOST]\files
(3) XSS occurs when input passed to the params:
- "u"
- "expid"
- "ajax_action"
- "ss"
- "sm"
- "url"
- "rss_url"
- "lang"
- "toolbar"
- "section"
- "section_name"
- "src"
in scripts:
- "slideshow.js.php"
- "picked_source.php"
- "magpie_debug.php"
- "magpie_simple.php"
- "magpie_slashbox.php"
- "test.php"
- "fcktoolbarconfig.js.php"
- "section_linked.php"
- "index.php"
is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
OIC Group Inc. - http://www.exponentcms.orgAffected Version
0.97Tested On
Microsoft Windows XP Professional SP3 (English)Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1
Vendor Status
[09.10.2010] Vulnerabilities discovered.[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.
PoC
exponent_cms.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://securityreason.com/wlb_show/WLB-2010100071[2] http://www.exploit-db.com/exploits/15247/
[3] http://www.packetstormsecurity.org/filedesc/exponentcms-lfidisclosexss.txt.html
[4] http://xforce.iss.net/xforce/xfdb/62527
[5] http://xforce.iss.net/xforce/xfdb/62528
[6] http://www.securityfocus.com/bid/44095
[7] http://secunia.com/advisories/36703/
[8] http://www.qurizhao.com/Article/HTML/20101014164902.html
Changelog
[14.10.2010] - Initial release[15.10.2010] - Added reference [4], [5] and [6]
[18.10.2010] - Added reference [7]
[19.10.2010] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk