Hans Wolters
19/11/05, 19:00
A number of security issues have been discovered in ExponentCMS
------------------------------------------------------------------------
---------------------
Exponent is a fully-featured, modern CMS written in PHP, that enables
non-technical people to manage and update their websites with
minimal effort. Exponent is also an attractive development platform for
traditional and non-traditional web applications.
Exponent can be found at:
http://sourceforge.net/projects/exponent/
------------------------------------------------------------------------
---------------------
Security issues are located in 0.96.3 and higher.
1. js injection in forms.
ExponentCMS has a form generator which allows admin to create new
forms. Once these forms are used by users it is in most cases possible
to craft javascript injections which will be send to the given person.
Status: open
2. SQL injections in the navigation module.
Problem:
Any user who is allowed to change the order of the menu
is able to inject sql using a crafted url.
PoC:
<host>/index.php?action=order&parent=41%20or%
201&a=1&b=0&module=navigationmodule
Solution:
Typecast values where possible.
Status:
Fixed in CVS. Together with lots of other modules where no typecasting
is used.
3. Path disclosure in the extra Image Gallery module:
There is a security issue in the image gallery which
can be downloaded apart from the current stable.
In the output it shows the path above the document root
when placing the preview icons:
thumb.php?base=/var/www/site2/exponent-0.96.3/......
Status:
Fixed in cvs
4. (XSS) invalid checking of mime type for uploads
Exponent, the imagegallery to be specific, lacks mime
type checking on the uploads. Therefor the preview icon
is shown. On clicking the preview icon shows the source
written for the file.
Status: open
5. permissions on uploaded files
Files uploaded to exponentcms are chmodded with execute rights. In
some cases this could lead to code execution by visitors.
Status:
Fixed in CVS
6. False idea of secure file storage.
Users can create a page which is active but not public.
They can even set group/person permissions on such a
page. The default installation of exponent does not
provide a mechanism to prevent people from using a bot
to browse for uploaded resources and viewing those who
are supposed to be secured behind a login page since they
are all stored in the document root.
Status: open
7. parsing php through uploaded files
Once a user is allowed to upload
images it is possible to upload php code and do
anything the user apache/webserver is allowed to do
(some examples):
* view source code of the files.
* view and alter sessions of other users (in fact, do
anything with
the database you want to do.
* view the /etc/passwd
Status: open
8. XSS bug in the installer
Javascript is parsed when added to the url parameters of the installer
since there is hardly any user input sanitation.
Status: fixed in cvs
9.
------------------------------------------------------------------------
---------------------
Exponent is a fully-featured, modern CMS written in PHP, that enables
non-technical people to manage and update their websites with
minimal effort. Exponent is also an attractive development platform for
traditional and non-traditional web applications.
Exponent can be found at:
http://sourceforge.net/projects/exponent/
------------------------------------------------------------------------
---------------------
Security issues are located in 0.96.3 and higher.
1. js injection in forms.
ExponentCMS has a form generator which allows admin to create new
forms. Once these forms are used by users it is in most cases possible
to craft javascript injections which will be send to the given person.
Status: open
2. SQL injections in the navigation module.
Problem:
Any user who is allowed to change the order of the menu
is able to inject sql using a crafted url.
PoC:
<host>/index.php?action=order&parent=41%20or%
201&a=1&b=0&module=navigationmodule
Solution:
Typecast values where possible.
Status:
Fixed in CVS. Together with lots of other modules where no typecasting
is used.
3. Path disclosure in the extra Image Gallery module:
There is a security issue in the image gallery which
can be downloaded apart from the current stable.
In the output it shows the path above the document root
when placing the preview icons:
thumb.php?base=/var/www/site2/exponent-0.96.3/......
Status:
Fixed in cvs
4. (XSS) invalid checking of mime type for uploads
Exponent, the imagegallery to be specific, lacks mime
type checking on the uploads. Therefor the preview icon
is shown. On clicking the preview icon shows the source
written for the file.
Status: open
5. permissions on uploaded files
Files uploaded to exponentcms are chmodded with execute rights. In
some cases this could lead to code execution by visitors.
Status:
Fixed in CVS
6. False idea of secure file storage.
Users can create a page which is active but not public.
They can even set group/person permissions on such a
page. The default installation of exponent does not
provide a mechanism to prevent people from using a bot
to browse for uploaded resources and viewing those who
are supposed to be secured behind a login page since they
are all stored in the document root.
Status: open
7. parsing php through uploaded files
Once a user is allowed to upload
images it is possible to upload php code and do
anything the user apache/webserver is allowed to do
(some examples):
* view source code of the files.
* view and alter sessions of other users (in fact, do
anything with
the database you want to do.
* view the /etc/passwd
Status: open
8. XSS bug in the installer
Javascript is parsed when added to the url parameters of the installer
since there is hardly any user input sanitation.
Status: fixed in cvs
9.