exponentCMS.txt

`A number of security issues have been discovered in ExponentCMS  
  
------------------------------------------------------------------------   
---------------------  
  
Exponent is a fully-featured, modern CMS written in PHP, that enables  
non-technical people to manage and update their websites with  
minimal effort. Exponent is also an attractive development platform for  
traditional and non-traditional web applications.  
  
Exponent can be found at:  
  
http://sourceforge.net/projects/exponent/  
  
------------------------------------------------------------------------   
---------------------  
  
Security issues are located in 0.96.3 and higher.  
  
1. js injection in forms.  
  
ExponentCMS has a form generator which allows admin to create new  
forms. Once these forms are used by users it is in most cases possible  
to craft javascript injections which will be send to the given person.  
  
Status: open  
  
2. SQL injections in the navigation module.  
  
Problem:  
  
Any user who is allowed to change the order of the menu  
is able to inject sql using a crafted url.  
  
PoC:  
  
<host>/index.php?action=order&parent=41%20or%   
201&a=1&b=0&module=navigationmodule  
  
Solution:  
  
Typecast values where possible.  
  
Status:  
  
Fixed in CVS. Together with lots of other modules where no typecasting  
is used.  
  
3. Path disclosure in the extra Image Gallery module:  
  
There is a security issue in the image gallery which  
can be downloaded apart from the current stable.  
  
In the output it shows the path above the document root  
when placing the preview icons:  
  
thumb.php?base=/var/www/site2/exponent-0.96.3/......  
  
Status:  
  
Fixed in cvs  
  
4. (XSS) invalid checking of mime type for uploads  
  
Exponent, the imagegallery to be specific, lacks mime  
type checking on the uploads. Therefor the preview icon  
is shown. On clicking the preview icon shows the source  
written for the file.  
  
Status: open  
  
  
5. permissions on uploaded files  
  
Files uploaded to exponentcms are chmodded with execute rights. In  
some cases this could lead to code execution by visitors.  
  
Status:  
  
Fixed in CVS  
  
6. False idea of secure file storage.  
  
Users can create a page which is active but not public.  
They can even set group/person permissions on such a  
page. The default installation of exponent does not  
provide a mechanism to prevent people from using a bot  
to browse for uploaded resources and viewing those who  
are supposed to be secured behind a login page since they  
are all stored in the document root.  
  
Status: open  
  
7. parsing php through uploaded files  
  
Once a user is allowed to upload  
images it is possible to upload php code and do  
anything the user apache/webserver is allowed to do  
(some examples):  
  
* view source code of the files.  
* view and alter sessions of other users (in fact, do  
anything with  
the database you want to do.  
* view the /etc/passwd  
  
Status: open  
  
  
8. XSS bug in the installer  
  
Javascript is parsed when added to the url parameters of the installer  
since there is hardly any user input sanitation.  
  
Status: fixed in cvs  
  
9.  
  
  
  
  
`