Exponent CMS v0.97 Multiple Vulnerabilities Vendor: OIC Group Inc. Product web page: http://www.exponentcms.org Affected version: 0.97 Summary: Open Source Content Management System (PHP+MySQL). Desc: Exponent CMS suffers from multiple vulnerabilities: #1. Local File Inclusion / File Disclosure Vulnerability #2. Arbitrary File Upload / File Modify Vulnerability #3. Reflected Cross-Site Scripting Vulnerability (1) LFI/FD occurs when input passed thru the params: - "action" - "expid" - "ajax_action" - "printerfriendly" - "section" - "module" - "controller" - "int" - "src" - "template" - "page" - "_common" to the scripts: - "index.php" - "login_redirect.php" - "mod_preview.php" - "podcast.php" - "popup.php" - "rss.php" is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. (2) AFU/E occurs due to an error in: - "upload_fileuploadcontrol.php" - "upload_standalone.php" - "manifest.php" - "delete.php" - "edit.php" - "manage.php" - "rank_switch.php" - "save.php" - "view.php" - "class.php" - "deps.php" - "delete_form.php" - "delete_process.php" - "search.php" - "send_feedback.php" - "viewday.php" - "viewmonth.php" - "viewweek.php" - "testbot.php" - "activate_bot.php" - "deactivate_bot.php" - "manage_bots.php" - "run_bot.php" - "class.php" - "delete_board.php" - "delete_post.php" - "edit_board.php" - "edit_post.php" - "edit_rank.php" - "monitor_all_boards.php" - "monitor_board.php" - "monitor_thread.php" - "preview_post.php" - "save_board.php" - "save_post.php" - "save_rank.php" - "view_admin.php" - "view_board.php" - "view_rank.php" - "view_thread.php" - "banner_click.php" - "ad_delete.php" - "ad_edit.php" - "ad_save.php" - "af_delete.php" - "af_edit.php" - "af_save.php" - "delete_article.php" - "edit_article.php" - "save_article.php" - "save_submission.php" - "submit_article.php" - "view_article.php" - "view_submissions.php" - "coretasks.php" - "htmlarea_tasks.php" - "search_tasks.php" - "clear_smarty_cache.php" - "configuresite.php" - "config_activate.php" - "config_configuresite.php" - "config_delete.php" - "config_save.php" - "examplecontent.php" - "finish_install_extension.php" - "gmgr_delete.php" - "gmgr_editprofile.php" - "gmgr_membership.php" - "gmgr_savegroup.php" - "gmgr_savemembers.php" as it allows uploads of files with multiple extensions to a folder inside the web root. This can be exploited to execute arbitrary PHP code by uploading a specially crafted PHP script. The uploaded files are stored in: [CMS_ROOT_HOST]\files (3) XSS occurs when input passed to the params: - "u" - "expid" - "ajax_action" - "ss" - "sm" - "url" - "rss_url" - "lang" - "toolbar" - "section" - "section_name" - "src" in scripts: - "slideshow.js.php" - "picked_source.php" - "magpie_debug.php" - "magpie_simple.php" - "magpie_slashbox.php" - "test.php" - "fcktoolbarconfig.js.php" - "section_linked.php" - "index.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows XP Professional SP3 (English) Apache 2.2.14 (Win32) MySQL 5.1.41 PHP 5.3.1 Vendor status: [09.10.2010] Vulnerabilities discovered. [10.10.2010] Vendor contacted. [13.10.2010] No reply from vendor. [14.10.2010] Public advisory released. Advisory ID: ZSL-2010-4969 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php Vulnerabilities discovered by: Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk Proofs of Concept: (1) LFI/FD - http://exponent_site/index.php?action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&expid=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&ajax_action=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&printerfriendly=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00§ion=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00&controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 ... (2) AFU/E - http://exponent_site/modules/cermi/actions/upload_fileuploadcontrol.php?action=[FILE]&expid=[FILE]&ajax_action=[FILE] ... (3) XSS - http://exponent_site/external/magpierss/scripts/magpie_slashbox.php?rss_url=3141%3cscript%3ealert("zsl_xss")%3c%2fscript%3e ...