
Exponent CMS 2.3.5 -File Upload Cross Site Scripting Vulnerability
Reported by Sachin Wagh | December 25th, 2015 @ 08:25 PM | in 2.3.7 (closed)
Information
Vulnerability Type : Exponent CMS 2.3.5 -File Upload Cross Site
Scripting Vulnerability
Vulnerable Version : 2.3.5
CVE-ID :
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)
Description
Exponent CMS is prone to a file upload cross site Scripting vulnerability because it fails to sanitize user-supplied input.It is possible to make a Exponent CMS vulnerable to XSS if you can upload/include a html file into the file manager.
Please find attached POC for more detail.
Reference :
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scrip...
Credits & Authors
Sachin Wagh (@tiger_tigerboy)
Comments and changes to this ticket
-
-
dleffler December 26th, 2015 @ 06:05 AM
- Tag set to security
- Assigned user changed from expNinja to dleffler
This issue may have been resolved with the fix to #1320 CVE-2015-8667 which was included in the v2.3.6 release today. Additional testing will need to be performed on v2.3.6 to see if this issue still exists.
-
dleffler December 26th, 2015 @ 05:49 PM
Basically there are two issues here
- Our .htaccess settings were a little too loose as they didn't
prevent uploaded .html files from being executed
- The elFinder file manager allows opening all file types regardless of the .htaccess settings, which is further compounded when not using the file manager from within a text editor and double-clicking a file opens it
These issues will be fixed in the next release, 1) we are blocking more filetypes and 2) we are preventing ANY files (except folders) from being opened from within elFinder.
I have requested a CVE-ID for this issue.
- Our .htaccess settings were a little too loose as they didn't
prevent uploaded .html files from being executed
-
Sachin Wagh December 26th, 2015 @ 05:54 PM
Thanks dleffler.
Once got the CVE-ID please update me accordingly.
Thanks.
-
expNinja December 26th, 2015 @ 05:56 PM
- State changed from new to resolved
(from [148790795acba350fc42bd236b7f0da4a6e0e10e]) Fix security issue by strengthening the server security parameters in folders receiving uploads and tighten elFinder security by not allow any files to be opened (only folders)...you'll need to use the 'preview' or 'edit' commands or click on the link in the 'info' dialog which will enforce the server security settings.[#1323 state:resolved] https://github.com/exponentcms/exponent-cms/commit/148790795acba350...
-
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS