Home / exploits Exponent CMS 2.3.9 SQL Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>Exponent CMS 2.3.9 SQL Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Disclose 10 * cve in Exponent CMS [CVE-2016-7780] > In the line 42 of cron/find_help.php , $_GET['version'] can be > controlled and injected. It is possible to time-based blind SQL Inject > by the param of "version". fix: https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad0910d435d237482ee31 [CVE-2016-7781] > In the line 387 function getUserByName of > ./framework/modules/users/models/user.php , $name can be controlled and > injected. It is possible to time-based blind SQL Inject by the param of > "author". fix: In the line 169 of framework/modules/blog/controllers/blogController.php , $this->params['author'] has been escaped. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7782] > In the line 33 of ./framework/core/models/expConfig.php , > $this->location_data can be controlled and injected. It is possible to > time-based blind SQL Inject by the param of "src". fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-7783] > In the line 118 of ./framework/core/models/expRecord.php , $params can > be controlled and injected. It is possible to boolean-based and > time-based blind SQL Inject by the param of "title" . fix:http://www.exponentcms.org/news/security-vulnerability-all-exponent-versions-october-2016 [CVE-2016-7784] > This bug was found in the framework/core/subsystems/expRouter.php > It is possible to inject SQL code in the function getSection by > $_REQUEST['section']. fix:https://exponentcms.lighthouseapp.com/projects/61783/changesets/1965e3719986406576898668855b8afbab43ed2c [CVE-2016-7788] >In Exponent CMS <=2.3.9, In the line 74 of ./framework/modules/users/models/user.php , $username > can be controlled and injected.It is possible to time-based blind SQL > Inject by the param of "username". fix: In the line 127 of file framework/modules/users/controllers/loginController.php. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7789] >In Exponent CMS <=2.3.9, framework/modules/eaas/controllers/eaasController.php , $key can be > controlled. And in the line 33 of framework/core/models/expConfig.php, > $this->location_data can be controlled and injected. It is possible to > boolean-based blind SQL Inject by the param of apikey. fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9019] > In Exponent CMS <=2.3.9, in the function activate_address of the file > framework/modules/addressbook/controllers/addressController.php, > $this->params['is_what'] can be controlled and injected. It is possible > to do time-based SQL inject by the param 'is_what'. fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9020] > In exponentcms <=2.3.9, in the line 125 of file > framework/modules/help/controllers/helpController.php, > $this->params['version'] can be controlled and injected. it is possible > to SQL injection by the param of 'version'. Fix: In the line 55 of framework/modules/help/models/help_version.php , $version has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-9087] > In exponentcms <=2.3.9, in the line 94 of file > framework/modules/filedownloads/controllers/filedownloadController.php, > $this->param['fileid'] can be controlled and injected. It is possible > to SQL inject by param fileid. Fix: In the line 94 of file framework/modules/filedownloads/controllers/filedownloadController.php , $this->params['fileid'] has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db Reported By web-Obfuscator in dbappsecurity </BODY></HTML>