Exponent Multiple Vulnerabilities
Exponent is a fully-featured, modern CMS written in PHP, that enables non-technical people to manage and update their websites with minimal effort.
Exponent is also an attractive development platform for traditional and non-traditional web applications. it's great cms
http://www.exponentcms.org
Credit:
The information has been provided by Hamid Ebadi ( www.bugtraq.ir Iran Security Research )
The original article can be found at :
http://www.bugtraq.ir/articles/advisory/exponent_multiple_vulnerabilities/10
Vulnerable:
Exponent exponent-0.96.6-Alpha and below
1 ) Exponent Directory traversal (Exposure of sensitive information)
Input passed to the "icodir" parameters in "iconspopup.php" isn't properly verified.
This can be exploited by malicious people to disclose sensitive information
(using "../" directory traversal character sequence.)
Vulnerable Code :
//line 40
define('ICONDIR',BASE.str_replace(PATH_RELATIVE,"",$_GET['icodir']));
.
.
.
$dh = opendir(ICONDIR);
$counter = 0;
while (($file = readdir($dh)) !== false) {
if (is_readable(ICONDIR.$file) && is_file(ICONDIR.$file)) {
$iconfiles[$thisrow][] = $file;
$counter++;
if ($counter >= $perrow) {
$counter = 0;
$thisrow++;
$iconfiles[$thisrow] = array();
}
}
}
} else $good = false;
//
.
.
.
//line 73
<?php
for ($i = 0; $i < count($iconfiles); $i++) {
echo '<tr>';
for ($j = 0; $j < count($iconfiles[$i]); $j++) {
echo '<td>';
$imgsrc = $_GET['icodir'] . $iconfiles[$i][$j];
echo "<a href='' onClick='setIcon(\"$imgsrc\"); return false'><img src='$imgsrc' border='0' /></a>";
echo '</td>';
}
echo '</tr>';
}
?>
exploit:
http://[exponent]/iconspopup.php?icodir=/../../../
2 ) Exponent Script Insertion
Input passed to the "body" in "weblogmodule" module (Weblog Comments) is not properly sanitised before being used.
This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session
in context of an affected site when a malicious entry is viewed.
3 ) Exponent Cross-Site Scripting Vulnerabilities
Input passed to the "url" parameter in /external/magpierss/scripts/magpie_debug.php and /external/magpierss/scripts/magpie_simple.php, the "rss_url" parameter in /external/magpierss/scripts/magpie_slashbox.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
and you can find many more if you want .
POC :
http://HOST/external/magpierss/scripts/magpie_debug.php?url=<script> alert(document.cookie) </script>
http://HOST/external/magpierss/scripts/magpie_slashbox.php?rss_url=<script> alert(document.cookie) </script>
4 ) Exponent Full Path Disclosure Weakness
The problem is that it is possible to disclose the full path to "sdk/blanks/formcontrol.php" and "sdk/blanks/file_modules.php" by accessing it directly.
Vulnerable Code :
//line 40
define('ICONDIR',BASE.str_replace(PATH_RELATIVE,"",$_GET['icodir']));
.
.
.
$dh = opendir(ICONDIR);
$counter = 0;
while (($file = readdir($dh)) !== false) {
if (is_readable(ICONDIR.$file) && is_file(ICONDIR.$file)) {
$iconfiles[$thisrow][] = $file;
$counter++;
if ($counter >= $perrow) {
$counter = 0;
$thisrow++;
$iconfiles[$thisrow] = array();
}
}
}
} else $good = false;
//
.
.
.
//line 73
<?php
for ($i = 0; $i < count($iconfiles); $i++) {
echo '<tr>';
for ($j = 0; $j < count($iconfiles[$i]); $j++) {
echo '<td>';
$imgsrc = $_GET['icodir'] . $iconfiles[$i][$j];
echo "<a href='' onClick='setIcon(\"$imgsrc\"); return false'><img src='$imgsrc' border='0' /></a>";
echo '</td>';
}
echo '</tr>';
}
?>
آرشیو آسیب پذیری ها
