exponent-multi.txt

`Exponent Multiple Vulnerabilities  
  
Exponent is a fully-featured, modern CMS written in PHP, that enables  
non-technical people to manage and update their websites with minimal  
effort.  
Exponent is also an attractive development platform for traditional and  
non-traditional web applications. it's great cms  
http://www.exponentcms.org  
  
Credit:  
The information has been provided by Hamid Ebadi ( www.bugtraq.ir Iran  
Security Research )  
The original article can be found at :  
http://www.bugtraq.ir/articles/advisory/exponent_multiple_vulnerabilities/10  
  
Vulnerable:  
Exponent exponent-0.96.6-Alpha and below  
  
1 ) Exponent Directory traversal (Exposure of sensitive information)  
  
Input passed to the "icodir" parameters in "iconspopup.php" isn't properly  
verified.  
This can be exploited by malicious people to disclose sensitive information  
  
(using "../" directory traversal character sequence.)  
  
Vulnerable Code :  
//line 40  
define('ICONDIR',BASE.str_replace(PATH_RELATIVE,"",$_GET['icodir']));  
.  
.  
.  
$dh = opendir(ICONDIR);  
$counter = 0;  
while (($file = readdir($dh)) !== false) {  
if (is_readable(ICONDIR.$file) && is_file(ICONDIR.$file)) {  
$iconfiles[$thisrow][] = $file;  
$counter++;  
if ($counter >= $perrow) {  
$counter = 0;  
$thisrow++;  
$iconfiles[$thisrow] = array();  
}  
}  
}  
} else $good = false;  
//  
.  
.  
.  
//line 73  
<?php  
for ($i = 0; $i < count($iconfiles); $i++) {  
echo '<tr>';  
for ($j = 0; $j < count($iconfiles[$i]); $j++) {  
echo '<td>';  
$imgsrc = $_GET['icodir'] . $iconfiles[$i][$j];  
echo "<a href='' onClick='setIcon(\"$imgsrc\"); return false'><img  
src='$imgsrc' border='0' /></a>";  
echo '</td>';  
}  
echo '</tr>';  
}  
  
  
?>  
  
exploit:  
http://[exponent]/iconspopup.php?icodir=/../../../  
  
  
2 ) Exponent Script Insertion  
  
Input passed to the "body" in "weblogmodule" module (Weblog Comments) is not  
properly sanitised before being used.  
This can be exploited to insert arbitrary HTML and script code, which will  
be executed in a user's browser session  
in context of an affected site when a malicious entry is viewed.  
  
3 ) Exponent Cross-Site Scripting Vulnerabilities  
Input passed to the "url" parameter in  
/external/magpierss/scripts/magpie_debug.php and  
/external/magpierss/scripts/magpie_simple.php, the "rss_url" parameter in  
/external/magpierss/scripts/magpie_slashbox.php is not properly sanitised  
before being returned to the user.  
This can be exploited to execute arbitrary HTML and script code in a user's  
browser session in context of an affected site.  
and you can find many more if you want .  
  
POC :  
http://HOST/external/magpierss/scripts/magpie_debug.php?url=<script> alert(  
document.cookie) </script>  
http://HOST/external/magpierss/scripts/magpie_slashbox.php?rss_url=<script>  
alert(document.cookie) </script>  
  
  
4 ) Exponent Full Path Disclosure Weakness  
The problem is that it is possible to disclose the full path to  
"sdk/blanks/formcontrol.php" and "sdk/blanks/file_modules.php" by accessing  
it directly.  
  
# copyright : http://www.bugtraq.ir  
`