Full Disclosure mailing list archives
Disclose [10 * cve] in Exponent CMS
From: Obfuscator <kaiyi.xu () dbappsecurity com cn>
Date: Wed, 2 Nov 2016 20:29:51 +0800 (GMT+08:00)
Disclose 10 * cve in Exponent CMS [CVE-2016-7780]
In the line 42 of cron/find_help.php , $_GET['version'] can be controlled and injected. It is possible to time-based blind SQL Inject by the param of "version".
fix: https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad0910d435d237482ee31 [CVE-2016-7781]
In the line 387 function getUserByName of ./framework/modules/users/models/user.php , $name can be controlled and injected. It is possible to time-based blind SQL Inject by the param of "author".
fix: In the line 169 of framework/modules/blog/controllers/blogController.php , $this->params['author'] has been escaped. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7782]
In the line 33 of ./framework/core/models/expConfig.php , $this->location_data can be controlled and injected. It is possible to time-based blind SQL Inject by the param of "src".
fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-7783]
In the line 118 of ./framework/core/models/expRecord.php , $params can be controlled and injected. It is possible to boolean-based and time-based blind SQL Inject by the param of "title" .
fix:http://www.exponentcms.org/news/security-vulnerability-all-exponent-versions-october-2016 [CVE-2016-7784]
This bug was found in the framework/core/subsystems/expRouter.php It is possible to inject SQL code in the function getSection by $_REQUEST['section'].
fix:https://exponentcms.lighthouseapp.com/projects/61783/changesets/1965e3719986406576898668855b8afbab43ed2c [CVE-2016-7788]
In Exponent CMS <=2.3.9, In the line 74 of ./framework/modules/users/models/user.php , $username can be controlled and injected.It is possible to time-based blind SQL Inject by the param of "username".
fix: In the line 127 of file framework/modules/users/controllers/loginController.php. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7789]
In Exponent CMS <=2.3.9, framework/modules/eaas/controllers/eaasController.php , $key can be controlled. And in the line 33 of framework/core/models/expConfig.php, $this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.
fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9019]
In Exponent CMS <=2.3.9, in the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9020]
In exponentcms <=2.3.9, in the line 125 of file framework/modules/help/controllers/helpController.php, $this->params['version'] can be controlled and injected. it is possible to SQL injection by the param of 'version'.
Fix: In the line 55 of framework/modules/help/models/help_version.php , $version has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-9087]
In exponentcms <=2.3.9, in the line 94 of file framework/modules/filedownloads/controllers/filedownloadController.php, $this->param['fileid'] can be controlled and injected. It is possible to SQL inject by param fileid.
Fix: In the line 94 of file framework/modules/filedownloads/controllers/filedownloadController.php , $this->params['fileid'] has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db Reported By web-Obfuscator in dbappsecurity _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Disclose [10 * cve] in Exponent CMS Obfuscator (Nov 02)