Exponent CMS 0.97 Cross Site Scripting / File Disclosure / Local File Inclusion / Shell Upload

`  
Exponent CMS v0.97 Multiple Vulnerabilities  
  
  
Vendor: OIC Group Inc.  
Product web page: http://www.exponentcms.org  
Affected version: 0.97  
  
Summary: Open Source Content Management System (PHP+MySQL).  
  
Desc: Exponent CMS suffers from multiple vulnerabilities:  
  
#1. Local File Inclusion / File Disclosure Vulnerability  
#2. Arbitrary File Upload / File Modify Vulnerability  
#3. Reflected Cross-Site Scripting Vulnerability  
  
(1) LFI/FD occurs when input passed thru the params:  
- "action"  
- "expid"  
- "ajax_action"  
- "printerfriendly"  
- "section"  
- "module"  
- "controller"  
- "int"  
- "src"  
- "template"  
- "page"  
- "_common"  
  
to the scripts:  
- "index.php"  
- "login_redirect.php"  
- "mod_preview.php"  
- "podcast.php"  
- "popup.php"  
- "rss.php"  
  
is not properly verified before being used to include files.  
This can be exploited to include files from local resources  
with directory traversal attacks and URL encoded NULL bytes.  
  
  
(2) AFU/E occurs due to an error in:  
- "upload_fileuploadcontrol.php"  
- "upload_standalone.php"  
- "manifest.php"  
- "delete.php"  
- "edit.php"  
- "manage.php"  
- "rank_switch.php"  
- "save.php"  
- "view.php"  
- "class.php"  
- "deps.php"  
- "delete_form.php"  
- "delete_process.php"  
- "search.php"  
- "send_feedback.php"  
- "viewday.php"  
- "viewmonth.php"  
- "viewweek.php"  
- "testbot.php"  
- "activate_bot.php"  
- "deactivate_bot.php"  
- "manage_bots.php"  
- "run_bot.php"  
- "class.php"  
- "delete_board.php"  
- "delete_post.php"  
- "edit_board.php"  
- "edit_post.php"  
- "edit_rank.php"  
- "monitor_all_boards.php"  
- "monitor_board.php"  
- "monitor_thread.php"  
- "preview_post.php"  
- "save_board.php"  
- "save_post.php"  
- "save_rank.php"  
- "view_admin.php"  
- "view_board.php"  
- "view_rank.php"  
- "view_thread.php"  
- "banner_click.php"  
- "ad_delete.php"  
- "ad_edit.php"  
- "ad_save.php"  
- "af_delete.php"  
- "af_edit.php"  
- "af_save.php"  
- "delete_article.php"  
- "edit_article.php"  
- "save_article.php"  
- "save_submission.php"  
- "submit_article.php"  
- "view_article.php"  
- "view_submissions.php"  
- "coretasks.php"  
- "htmlarea_tasks.php"  
- "search_tasks.php"  
- "clear_smarty_cache.php"  
- "configuresite.php"  
- "config_activate.php"  
- "config_configuresite.php"  
- "config_delete.php"  
- "config_save.php"  
- "examplecontent.php"  
- "finish_install_extension.php"  
- "gmgr_delete.php"  
- "gmgr_editprofile.php"  
- "gmgr_membership.php"  
- "gmgr_savegroup.php"  
- "gmgr_savemembers.php"  
  
as it allows uploads of files with multiple extensions to a  
folder inside the web root. This can be exploited to execute  
arbitrary PHP code by uploading a specially crafted PHP script.  
  
The uploaded files are stored in: [CMS_ROOT_HOST]\files  
  
  
(3) XSS occurs when input passed to the params:  
- "u"  
- "expid"  
- "ajax_action"  
- "ss"  
- "sm"  
- "url"  
- "rss_url"  
- "lang"  
- "toolbar"  
- "section"  
- "section_name"  
- "src"  
  
in scripts:  
- "slideshow.js.php"  
- "picked_source.php"  
- "magpie_debug.php"  
- "magpie_simple.php"  
- "magpie_slashbox.php"  
- "test.php"  
- "fcktoolbarconfig.js.php"  
- "section_linked.php"  
- "index.php"  
  
is not properly sanitised before being returned to the user.  
This can be exploited to execute arbitrary HTML and script  
code in a user's browser session in context of an affected site.  
  
  
Tested on: Microsoft Windows XP Professional SP3 (English)  
Apache 2.2.14 (Win32)  
MySQL 5.1.41  
PHP 5.3.1  
  
  
Vendor status: [09.10.2010] Vulnerabilities discovered.  
[10.10.2010] Vendor contacted.  
[13.10.2010] No reply from vendor.  
[14.10.2010] Public advisory released.  
  
  
Advisory ID: ZSL-2010-4969  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php  
  
  
Vulnerabilities discovered by: Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
Zero Science Lab - http://www.zeroscience.mk  
  
  
Proofs of Concept:  
  
(1) LFI/FD - http://exponent_site/index.php?action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&expid=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&ajax_action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&printerfriendly=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&section=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00  
  
...  
  
(2) AFU/E - http://exponent_site/modules/cermi/actions/upload_fileuploadcontrol.php?action=[FILE]&expid=[FILE]&ajax_action=[FILE]  
  
...  
  
(3) XSS - http://exponent_site/external/magpierss/scripts/magpie_slashbox.php?rss_url=3141%3cscript%3ealert("zsl_xss")%3c%2fscript%3e  
  
...  
`