lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C55CF8A0-6BA6-46E0-A9D9-137668C97201@xs4all.nl>
Date: Sat, 19 Nov 2005 18:21:18 +0100
From: Hans Wolters <hans.wolters@...all.nl>
To: bugtraq@...urityfocus.com
Subject: [security - exponentcms]


A number of security issues have been discovered in ExponentCMS

------------------------------------------------------------------------ 
---------------------

Exponent is a fully-featured, modern CMS written in PHP, that enables
non-technical people to manage and update their websites with
minimal effort. Exponent is also an attractive development platform for
traditional and non-traditional web applications.

Exponent can be found at:

http://sourceforge.net/projects/exponent/

------------------------------------------------------------------------ 
---------------------

Security issues are located in 0.96.3 and higher.

1. js injection in forms.

ExponentCMS has a form generator which allows admin to create new
forms. Once these forms are used by users it is in most cases possible
to craft javascript injections which will be send to the given person.

Status: open

2.  SQL injections in the navigation module.

Problem:

Any user who is allowed to change the order of the menu
is able to inject sql using a crafted url.

PoC:

<host>/index.php?action=order&parent=41%20or% 
201&a=1&b=0&module=navigationmodule

Solution:

Typecast values where possible.

Status:

Fixed in CVS. Together with lots of other modules where no typecasting
is used.

3. Path disclosure in the extra Image Gallery module:

There is a security issue in the image gallery which
can be downloaded apart from the current stable.

In the output it shows the path above the document root
when placing the preview icons:

thumb.php?base=/var/www/site2/exponent-0.96.3/......

Status:

Fixed in cvs

4. (XSS) invalid checking of mime type for uploads

Exponent, the imagegallery to be specific, lacks mime
type checking on the uploads. Therefor the preview icon
is shown. On clicking the preview icon shows the source
written for the file.

Status: open


5. permissions on uploaded files

Files uploaded to exponentcms are chmodded with execute rights. In
some cases this could lead to code execution by visitors.

Status:

Fixed in CVS

6. False idea of secure file storage.

Users can create a page which is active but not public.
They can even set group/person permissions on such a
page. The default installation of exponent does not
provide a mechanism to prevent people from using a bot
to browse for uploaded resources and viewing those who
are supposed to be secured behind a login page since they
are all stored in the document root.

Status: open

7. parsing php through uploaded files

Once a user is allowed to upload
images it is possible to upload php code and do
anything the user apache/webserver is allowed to do
(some examples):

* view source code of the files.
* view and alter sessions of other users (in fact, do
anything with
the database you want to do.
* view the /etc/passwd

Status: open


8. XSS bug in the installer

Javascript is parsed when added to the url parameters of the installer
since there is hardly any user input sanitation.

Status: fixed in cvs

9.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ