#1323 Exponent CMS 2.3.5 -File Upload Cross Site Scripting Vulnerability - Exponent CMS

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1323 ✓resolved

Exponent CMS 2.3.5 -File Upload Cross Site Scripting Vulnerability

Reported by Sachin Wagh | December 25th, 2015 @ 08:25 PM | in 2.3.7 (closed)

Information

Vulnerability Type : Exponent CMS 2.3.5 -File Upload Cross Site Scripting Vulnerability
Vulnerable Version : 2.3.5
CVE-ID :
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)

Description

Exponent CMS is prone to a file upload cross site Scripting vulnerability because it fails to sanitize user-supplied input.It is possible to make a Exponent CMS vulnerable to XSS if you can upload/include a html file into the file manager.

Please find attached POC for more detail.

Reference :

https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scrip...

Credits & Authors

Sachin Wagh (@tiger_tigerboy)

3.File_Manager_Upload_XSS.avi 1.6 MB

Comments and changes to this ticket

dleffler December 26th, 2015 @ 05:59 AM
- Milestone set to “2.3.7”
[bulk edit]
dleffler December 26th, 2015 @ 06:05 AM
- Tag set to “security”
- Assigned user changed from “expNinja” to “dleffler”
This issue may have been resolved with the fix to #1320 CVE-2015-8667 which was included in the v2.3.6 release today. Additional testing will need to be performed on v2.3.6 to see if this issue still exists.
dleffler December 26th, 2015 @ 05:49 PM
Basically there are two issues here
1. Our .htaccess settings were a little too loose as they didn't prevent uploaded .html files from being executed
2. The elFinder file manager allows opening all file types regardless of the .htaccess settings, which is further compounded when not using the file manager from within a text editor and double-clicking a file opens it
These issues will be fixed in the next release, 1) we are blocking more filetypes and 2) we are preventing ANY files (except folders) from being opened from within elFinder.

I have requested a CVE-ID for this issue.
You flagged this item as spam.
Sachin Wagh December 26th, 2015 @ 05:54 PM
Thanks dleffler.

Once got the CVE-ID please update me accordingly.

Thanks.
expNinja December 26th, 2015 @ 05:56 PM
- State changed from “new” to “resolved”
(from [148790795acba350fc42bd236b7f0da4a6e0e10e]) Fix security issue by strengthening the server security parameters in folders receiving uploads and tighten elFinder security by not allow any files to be opened (only folders)...you'll need to use the 'preview' or 'edit' commands or click on the link in the 'info' dialog which will enforce the server security settings.[#1323 state:resolved] https://github.com/exponentcms/exponent-cms/commit/148790795acba350...
dleffler December 26th, 2015 @ 11:56 PM
CVE-2015-8684

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins (Sort)

↓↑ drag 156 Open tickets
↓↑ drag 1246 Resolved tickets
↓↑ drag 1 This week's tickets

People watching this ticket

Attachments

3.File_Manager_Upload_XSS.avi 1.6 MB

Exponentcms Exponent CMS → 2.3.7