Home / exploits exponent-multi.txt
Posted on 23 April 2007
Exponent Multiple Vulnerabilities Exponent is a fully-featured, modern CMS written in PHP, that enables non-technical people to manage and update their websites with minimal effort. Exponent is also an attractive development platform for traditional and non-traditional web applications. it's great cms http://www.exponentcms.org Credit: The information has been provided by Hamid Ebadi ( www.bugtraq.ir Iran Security Research ) The original article can be found at : http://www.bugtraq.ir/articles/advisory/exponent_multiple_vulnerabilities/10 Vulnerable: Exponent exponent-0.96.6-Alpha and below 1 ) Exponent Directory traversal (Exposure of sensitive information) Input passed to the "icodir" parameters in "iconspopup.php" isn't properly verified. This can be exploited by malicious people to disclose sensitive information (using "../" directory traversal character sequence.) Vulnerable Code : //line 40 define('ICONDIR',BASE.str_replace(PATH_RELATIVE,"",$_GET['icodir'])); . . . $dh = opendir(ICONDIR); $counter = 0; while (($file = readdir($dh)) !== false) { if (is_readable(ICONDIR.$file) && is_file(ICONDIR.$file)) { $iconfiles[$thisrow][] = $file; $counter++; if ($counter >= $perrow) { $counter = 0; $thisrow++; $iconfiles[$thisrow] = array(); } } } } else $good = false; // . . . //line 73 <?php for ($i = 0; $i < count($iconfiles); $i++) { echo '<tr>'; for ($j = 0; $j < count($iconfiles[$i]); $j++) { echo '<td>'; $imgsrc = $_GET['icodir'] . $iconfiles[$i][$j]; echo "<a href='' onClick='setIcon("$imgsrc"); return false'><img src='$imgsrc' border='0' /></a>"; echo '</td>'; } echo '</tr>'; } ?> exploit: http://[exponent]/iconspopup.php?icodir=/../../../ 2 ) Exponent Script Insertion Input passed to the "body" in "weblogmodule" module (Weblog Comments) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious entry is viewed. 3 ) Exponent Cross-Site Scripting Vulnerabilities Input passed to the "url" parameter in /external/magpierss/scripts/magpie_debug.php and /external/magpierss/scripts/magpie_simple.php, the "rss_url" parameter in /external/magpierss/scripts/magpie_slashbox.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. and you can find many more if you want . POC : http://HOST/external/magpierss/scripts/magpie_debug.php?url=<script> alert( document.cookie) </script> http://HOST/external/magpierss/scripts/magpie_slashbox.php?rss_url=<script> alert(document.cookie) </script> 4 ) Exponent Full Path Disclosure Weakness The problem is that it is possible to disclose the full path to "sdk/blanks/formcontrol.php" and "sdk/blanks/file_modules.php" by accessing it directly. # copyright : http://www.bugtraq.ir