Open Source Content Management System (PHP+MySQL).
Exponent CMS suffers from multiple vulnerabilities:
#1. Local File Inclusion / File Disclosure Vulnerability #2. Arbitrary File Upload / File Modify Vulnerability #3. Reflected Cross-Site Scripting Vulnerability
(1) LFI/FD occurs when input passed thru the params: - "action" - "expid" - "ajax_action" - "printerfriendly" - "section" - "module" - "controller" - "int" - "src" - "template" - "page" - "_common"
to the scripts: - "index.php" - "login_redirect.php" - "mod_preview.php" - "podcast.php" - "popup.php" - "rss.php"
is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
(2) AFU/E occurs due to an error in: - "upload_fileuploadcontrol.php" - "upload_standalone.php" - "manifest.php" - "delete.php" - "edit.php" - "manage.php" - "rank_switch.php" - "save.php" - "view.php" - "class.php" - "deps.php" - "delete_form.php" - "delete_process.php" - "search.php" - "send_feedback.php" - "viewday.php" - "viewmonth.php" - "viewweek.php" - "testbot.php" - "activate_bot.php" - "deactivate_bot.php" - "manage_bots.php" - "run_bot.php" - "class.php" - "delete_board.php" - "delete_post.php" - "edit_board.php" - "edit_post.php" - "edit_rank.php" - "monitor_all_boards.php" - "monitor_board.php" - "monitor_thread.php" - "preview_post.php" - "save_board.php" - "save_post.php" - "save_rank.php" - "view_admin.php" - "view_board.php" - "view_rank.php" - "view_thread.php" - "banner_click.php" - "ad_delete.php" - "ad_edit.php" - "ad_save.php" - "af_delete.php" - "af_edit.php" - "af_save.php" - "delete_article.php" - "edit_article.php" - "save_article.php" - "save_submission.php" - "submit_article.php" - "view_article.php" - "view_submissions.php" - "coretasks.php" - "htmlarea_tasks.php" - "search_tasks.php" - "clear_smarty_cache.php" - "configuresite.php" - "config_activate.php" - "config_configuresite.php" - "config_delete.php" - "config_save.php" - "examplecontent.php" - "finish_install_extension.php" - "gmgr_delete.php" - "gmgr_editprofile.php" - "gmgr_membership.php" - "gmgr_savegroup.php" - "gmgr_savemembers.php"
as it allows uploads of files with multiple extensions to a folder inside the web root. This can be exploited to execute arbitrary PHP code by uploading a specially crafted PHP script.
The uploaded files are stored in: [CMS_ROOT_HOST]\files
(3) XSS occurs when input passed to the params: - "u" - "expid" - "ajax_action" - "ss" - "sm" - "url" - "rss_url" - "lang" - "toolbar" - "section" - "section_name" - "src"
in scripts: - "slideshow.js.php" - "picked_source.php" - "magpie_debug.php" - "magpie_simple.php" - "magpie_slashbox.php" - "test.php" - "fcktoolbarconfig.js.php" - "section_linked.php" - "index.php"
is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.