[webapps / 0day] - Exponent CMS v0.97 Multiple Vulnerabiliti

Posted on 13 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Exponent CMS v0.97 Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exponent CMS v0.97 Multiple Vulnerabilities by LiquidWorm in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===========================================
Exponent CMS v0.97 Multiple Vulnerabilities
===========================================

Vendor:  OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97
 
Summary: Open Source Content Management System (PHP+MySQL).
 
Desc: Exponent CMS suffers from multiple vulnerabilities:
 
#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability
 
(1) LFI/FD occurs when input passed thru the params:
- &quot;action&quot;
- &quot;expid&quot;
- &quot;ajax_action&quot;
- &quot;printerfriendly&quot;
- &quot;section&quot;
- &quot;module&quot;
- &quot;controller&quot;
- &quot;int&quot;
- &quot;src&quot;
- &quot;template&quot;
- &quot;page&quot;
- &quot;_common&quot;
 
to the scripts:
- &quot;index.php&quot;
- &quot;login_redirect.php&quot;
- &quot;mod_preview.php&quot;
- &quot;podcast.php&quot;
- &quot;popup.php&quot;
- &quot;rss.php&quot;
 
is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.
 
 
(2) AFU/E occurs due to an error in:
- &quot;upload_fileuploadcontrol.php&quot;
- &quot;upload_standalone.php&quot;
- &quot;manifest.php&quot;
- &quot;delete.php&quot;
- &quot;edit.php&quot;
- &quot;manage.php&quot;
- &quot;rank_switch.php&quot;
- &quot;save.php&quot;
- &quot;view.php&quot;
- &quot;class.php&quot;
- &quot;deps.php&quot;
- &quot;delete_form.php&quot;
- &quot;delete_process.php&quot;
- &quot;search.php&quot;
- &quot;send_feedback.php&quot;
- &quot;viewday.php&quot;
- &quot;viewmonth.php&quot;
- &quot;viewweek.php&quot;
- &quot;testbot.php&quot;
- &quot;activate_bot.php&quot;
- &quot;deactivate_bot.php&quot;
- &quot;manage_bots.php&quot;
- &quot;run_bot.php&quot;
- &quot;class.php&quot;
- &quot;delete_board.php&quot;
- &quot;delete_post.php&quot;
- &quot;edit_board.php&quot;
- &quot;edit_post.php&quot;
- &quot;edit_rank.php&quot;
- &quot;monitor_all_boards.php&quot;
- &quot;monitor_board.php&quot;
- &quot;monitor_thread.php&quot;
- &quot;preview_post.php&quot;
- &quot;save_board.php&quot;
- &quot;save_post.php&quot;
- &quot;save_rank.php&quot;
- &quot;view_admin.php&quot;
- &quot;view_board.php&quot;
- &quot;view_rank.php&quot;
- &quot;view_thread.php&quot;
- &quot;banner_click.php&quot;
- &quot;ad_delete.php&quot;
- &quot;ad_edit.php&quot;
- &quot;ad_save.php&quot;
- &quot;af_delete.php&quot;
- &quot;af_edit.php&quot;
- &quot;af_save.php&quot;
- &quot;delete_article.php&quot;
- &quot;edit_article.php&quot;
- &quot;save_article.php&quot;
- &quot;save_submission.php&quot;
- &quot;submit_article.php&quot;
- &quot;view_article.php&quot;
- &quot;view_submissions.php&quot;
- &quot;coretasks.php&quot;
- &quot;htmlarea_tasks.php&quot;
- &quot;search_tasks.php&quot;
- &quot;clear_smarty_cache.php&quot;
- &quot;configuresite.php&quot;
- &quot;config_activate.php&quot;
- &quot;config_configuresite.php&quot;
- &quot;config_delete.php&quot;
- &quot;config_save.php&quot;
- &quot;examplecontent.php&quot;
- &quot;finish_install_extension.php&quot;
- &quot;gmgr_delete.php&quot;
- &quot;gmgr_editprofile.php&quot;
- &quot;gmgr_membership.php&quot;
- &quot;gmgr_savegroup.php&quot;
- &quot;gmgr_savemembers.php&quot;
 
as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.
 
The uploaded files are stored in: [CMS_ROOT_HOST]files
 
 
(3) XSS occurs when input passed to the params:
- &quot;u&quot;
- &quot;expid&quot;
- &quot;ajax_action&quot;
- &quot;ss&quot;
- &quot;sm&quot;
- &quot;url&quot;
- &quot;rss_url&quot;
- &quot;lang&quot;
- &quot;toolbar&quot;
- &quot;section&quot;
- &quot;section_name&quot;
- &quot;src&quot;
 
in scripts:
- &quot;slideshow.js.php&quot;
- &quot;picked_source.php&quot;
- &quot;magpie_debug.php&quot;
- &quot;magpie_simple.php&quot;
- &quot;magpie_slashbox.php&quot;
- &quot;test.php&quot;
- &quot;fcktoolbarconfig.js.php&quot;
- &quot;section_linked.php&quot;
- &quot;index.php&quot;
 
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user&#039;s browser session in context of an affected site.
 
 
Tested on: Microsoft Windows XP Professional SP3 (English)
           Apache 2.2.14 (Win32)
           MySQL 5.1.41
           PHP 5.3.1
 
 
Vendor status: [09.10.2010] Vulnerabilities discovered.
               [10.10.2010] Vendor contacted.
               [13.10.2010] No reply from vendor.
               [14.10.2010] Public advisory released.
 
 
Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php
 
 
Vulnerabilities discovered by: Gjoko &#039;LiquidWorm&#039; Krstic
                               liquidworm gmail com
                               Zero Science Lab - http://www.zeroscience.mk
 
 
Proofs of Concept:
 
(1) LFI/FD - http://exponent_site/index.php?action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;expid=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;ajax_action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;printerfriendly=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;section=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&amp;controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00
 
...
 
(2) AFU/E - http://exponent_site/modules/cermi/actions/upload_fileuploadcontrol.php?action=[FILE]&amp;expid=[FILE]&amp;ajax_action=[FILE]
 
...
 
(3) XSS - http://exponent_site/external/magpierss/scripts/magpie_slashbox.php?rss_url=3141%3cscript%3ealert(&quot;zsl_xss&quot;)%3c%2fscript%3e
 
...


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-13]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20