Exponentcms Exponent CMS → User issues

Comments and changes to this ticket

• You flagged this item as spam.
  

  Sachin Wagh January 31st, 2016 @ 04:04 PM

  Hi dleffler,

  I achieved this through File Manager. It allows to upload .php file and you can access it through http://localhost/exponent-2.3.7/files/$filename$.php

  It allows to execute system level command as shown in the POC.

  The interesting part is that once its uploaded unauthenticated user can also access same file and execute malicious command.

  Thanks a lot.

• You flagged this item as spam.
  

  Sachin Wagh February 1st, 2016 @ 06:44 AM

  • Assigned user set to “expNinja”

  Hi,

  Please find attached POC video.

  Thanks.

  • Code_Execution.avi 3.9 MB

• You flagged this item as spam.
  

  Sachin Wagh February 1st, 2016 @ 04:34 PM

  Hi dleffler,

  Agree for below point

  "the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache"

  If you access '/files/' it's giving error as expected.

  But if you access '/files/$uploaded_file$.php' it will not giving any error (e.g authorized failed/page not found/bad request) even user is not login to the application.Uploaded scripts gets executed.

  Thanks a lot.

• You flagged this item as spam.
  

  Sachin Wagh February 3rd, 2016 @ 07:09 PM

  Hi dleffler,

  Any update on this.

  Thanks.

  Best Regards,

  Sachin Wagh.

• You flagged this item as spam.
  

  Sachin Wagh February 10th, 2016 @ 02:04 PM

  Hi dleffler,

  I verified again. It is possible to execute PHP script.After uploading PHP script if you access directly as http://www.example.com/files/shell.php.

  Thanks.

  Best Regards,

  Sachin Wagh