Vulners
Lucene search
Exponent CMS 0.97 - Multiple Vulnerabilities
Exponent CMS v0.97 Multiple Vulnerabilities
Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97
Summary: Open Source Content Management System (PHP+MySQL).
Desc: Exponent CMS suffers from multiple vulnerabilities:
#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability
(1) LFI/FD occurs when input passed thru the params:
- "action"
- "expid"
- "ajax_action"
- "printerfriendly"
- "section"
- "module"
- "controller"
- "int"
- "src"
- "template"
- "page"
- "_common"
to the scripts:
- "index.php"
- "login_redirect.php"
- "mod_preview.php"
- "podcast.php"
- "popup.php"
- "rss.php"
is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.
(2) AFU/E occurs due to an error in:
- "upload_fileuploadcontrol.php"
- "upload_standalone.php"
- "manifest.php"
- "delete.php"
- "edit.php"
- "manage.php"
- "rank_switch.php"
- "save.php"
- "view.php"
- "class.php"
- "deps.php"
- "delete_form.php"
- "delete_process.php"
- "search.php"
- "send_feedback.php"
- "viewday.php"
- "viewmonth.php"
- "viewweek.php"
- "testbot.php"
- "activate_bot.php"
- "deactivate_bot.php"
- "manage_bots.php"
- "run_bot.php"
- "class.php"
- "delete_board.php"
- "delete_post.php"
- "edit_board.php"
- "edit_post.php"
- "edit_rank.php"
- "monitor_all_boards.php"
- "monitor_board.php"
- "monitor_thread.php"
- "preview_post.php"
- "save_board.php"
- "save_post.php"
- "save_rank.php"
- "view_admin.php"
- "view_board.php"
- "view_rank.php"
- "view_thread.php"
- "banner_click.php"
- "ad_delete.php"
- "ad_edit.php"
- "ad_save.php"
- "af_delete.php"
- "af_edit.php"
- "af_save.php"
- "delete_article.php"
- "edit_article.php"
- "save_article.php"
- "save_submission.php"
- "submit_article.php"
- "view_article.php"
- "view_submissions.php"
- "coretasks.php"
- "htmlarea_tasks.php"
- "search_tasks.php"
- "clear_smarty_cache.php"
- "configuresite.php"
- "config_activate.php"
- "config_configuresite.php"
- "config_delete.php"
- "config_save.php"
- "examplecontent.php"
- "finish_install_extension.php"
- "gmgr_delete.php"
- "gmgr_editprofile.php"
- "gmgr_membership.php"
- "gmgr_savegroup.php"
- "gmgr_savemembers.php"
as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.
The uploaded files are stored in: [CMS_ROOT_HOST]\files
(3) XSS occurs when input passed to the params:
- "u"
- "expid"
- "ajax_action"
- "ss"
- "sm"
- "url"
- "rss_url"
- "lang"
- "toolbar"
- "section"
- "section_name"
- "src"
in scripts:
- "slideshow.js.php"
- "picked_source.php"
- "magpie_debug.php"
- "magpie_simple.php"
- "magpie_slashbox.php"
- "test.php"
- "fcktoolbarconfig.js.php"
- "section_linked.php"
- "index.php"
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1
Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.
Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php
Vulnerabilities discovered by: Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Proofs of Concept:
(1) LFI/FD - http://exponent_site/index.php?action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&expid=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&ajax_action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&printerfriendly=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00§ion=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
...
(2) AFU/E - http://exponent_site/modules/cermi/actions/upload_fileuploadcontrol.php?action=[FILE]&expid=[FILE]&ajax_action=[FILE]
...
(3) XSS - http://exponent_site/external/magpierss/scripts/magpie_slashbox.php?rss_url=3141%3cscript%3ealert("zsl_xss")%3c%2fscript%3e
...
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1