Exponent CMS v0.97 Multiple Vulnerabilities

2010-10-14T00:00:00
ID ZSL-2010-4969
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-10-14T00:00:00

Description

Title: Exponent CMS v0.97 Multiple Vulnerabilities
Advisory ID: ZSL-2010-4969
Type: Local/Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 14.10.2010

Summary

Open Source Content Management System (PHP+MySQL).

Description

Exponent CMS suffers from multiple vulnerabilities:

1. Local File Inclusion / File Disclosure Vulnerability

2. Arbitrary File Upload / File Modify Vulnerability

3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
- "action"
- "expid"
- "ajax_action"
- "printerfriendly"
- "section"
- "module"
- "controller"
- "int"
- "src"
- "template"
- "page"
- "_common"

to the scripts:
- "index.php"
- "login_redirect.php"
- "mod_preview.php"
- "podcast.php"
- "popup.php"
- "rss.php"

is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
- "upload_fileuploadcontrol.php"
- "upload_standalone.php"
- "manifest.php"
- "delete.php"
- "edit.php"
- "manage.php"
- "rank_switch.php"
- "save.php"
- "view.php"
- "class.php"
- "deps.php"
- "delete_form.php"
- "delete_process.php"
- "search.php"
- "send_feedback.php"
- "viewday.php"
- "viewmonth.php"
- "viewweek.php"
- "testbot.php"
- "activate_bot.php"
- "deactivate_bot.php"
- "manage_bots.php"
- "run_bot.php"
- "class.php"
- "delete_board.php"
- "delete_post.php"
- "edit_board.php"
- "edit_post.php"
- "edit_rank.php"
- "monitor_all_boards.php"
- "monitor_board.php"
- "monitor_thread.php"
- "preview_post.php"
- "save_board.php"
- "save_post.php"
- "save_rank.php"
- "view_admin.php"
- "view_board.php"
- "view_rank.php"
- "view_thread.php"
- "banner_click.php"
- "ad_delete.php"
- "ad_edit.php"
- "ad_save.php"
- "af_delete.php"
- "af_edit.php"
- "af_save.php"
- "delete_article.php"
- "edit_article.php"
- "save_article.php"
- "save_submission.php"
- "submit_article.php"
- "view_article.php"
- "view_submissions.php"
- "coretasks.php"
- "htmlarea_tasks.php"
- "search_tasks.php"
- "clear_smarty_cache.php"
- "configuresite.php"
- "config_activate.php"
- "config_configuresite.php"
- "config_delete.php"
- "config_save.php"
- "examplecontent.php"
- "finish_install_extension.php"
- "gmgr_delete.php"
- "gmgr_editprofile.php"
- "gmgr_membership.php"
- "gmgr_savegroup.php"
- "gmgr_savemembers.php"

as it allows uploads of files with multiple extensions to a folder inside the web root. This can be exploited to execute arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
- "u"
- "expid"
- "ajax_action"
- "ss"
- "sm"
- "url"
- "rss_url"
- "lang"
- "toolbar"
- "section"
- "section_name"
- "src"

in scripts:
- "slideshow.js.php"
- "picked_source.php"
- "magpie_debug.php"
- "magpie_simple.php"
- "magpie_slashbox.php"
- "test.php"
- "fcktoolbarconfig.js.php"
- "section_linked.php"
- "index.php"

is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

OIC Group Inc. - <http://www.exponentcms.org>

Affected Version

0.97

Tested On

Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor Status

[09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

PoC

exponent_cms.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://securityreason.com/wlb_show/WLB-2010100071>
[2] <http://www.exploit-db.com/exploits/15247/>
[3] <http://www.packetstormsecurity.org/filedesc/exponentcms-lfidisclosexss.txt.html>
[4] <http://xforce.iss.net/xforce/xfdb/62527>
[5] <http://xforce.iss.net/xforce/xfdb/62528>
[6] <http://www.securityfocus.com/bid/44095>
[7] <http://secunia.com/advisories/36703/>
[8] <http://www.qurizhao.com/Article/HTML/20101014164902.html>

Changelog

[14.10.2010] - Initial release
[15.10.2010] - Added reference [4], [5] and [6]
[18.10.2010] - Added reference [7]
[19.10.2010] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;