#1405 new

Exponent CMS 2.4.1 Patch 1 - Unrestricted File Upload Vulnerability

Reported by mm | January 14th, 2017 @ 08:05 AM | in 2.4.2 (closed)

As it has already been pointed out (https://exponentcms.lighthouseapp.com/projects/61783/tickets/1402-e...), a blacklisting approach towards preventing malicious executable file uploads is not secure.

Each apache configuration is different and thus each server requires a different blacklist.

E.g. some servers - such as http://exponent.org - are configured with "AddType application/x-httpd-php .php2" which is not covered by the blacklist. Therefore, on such servers, malicious .php2-files can be uploaded and executed.

Actually, any file extension such as ".myscript", ".exponent" or ".blabla" could have a handler attached.

I continue to recommend a whitelisting approach.

Comments and changes to this ticket

  • mm

    mm January 15th, 2017 @ 03:52 PM

    Matching against mimetypes via finfo provides no safety against uploading malicious files, see e.g. http://php.net/manual/en/function.finfo-file.php#75275

    Example: uploading a file whose contents starts with "x<?php " is regarded as "plain/text".

  • mm

    mm January 16th, 2017 @ 05:56 AM

    curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@/path/to/malicious.php2"

    Apache/2.4.18 (Ubuntu) on Ubuntu 16.04 LTS running Exponent CMS v2.4.1 Patch #1

  • mm

    mm January 17th, 2017 @ 05:00 AM

    The class.upload library suffers from the same vulnerability:

    curl "[exponent]/framework/modules/file/connector/uploader_tinymce.php" -F "file=@/path/to/malicious.php2"

    In this case however, malicious.php2 must have a mimetype which is either "text/rtf" or does not start with "text/".

    This can easily be achieved by e.g. prepending the content of malicious.php2 with "{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard".

    I could verify the vulnerability on my local installation (see my last reply for version info). The exponent website linked in your github profile seems to be one of the only ones on the web running a current Exponent CMS v2.4.1 patch #1 and is not vulnerable due to your apache configuration (I tested uploading php files containing "<?php phpinfo(); ?>").

    I am unfortunately not surprised that http://exponentcms.org is running an outdated vulnerable version, which actually puts all downloaders of Exponent CMS at high risk. Even though you @dleffler put a lot of work in this CMS, there seems to be no userbase, no developer community and no professional backing (is oicgroup defunct?). Exponent CMS has a huge legacy codebase which IMHO is really too big to be maintained and advanced by yourself alone.

    There are more vulnerabilities in Exponent CMS, such as local proxies, open redirects etc. but I don't have time to sift through all the code.

    Here a few things that I spotted:

    Open redirect: [exponent]/external/phpThumb/phpThumb.php?src=http://exponentcms.org:a@maliciousdomain.com/malicious.jpg

    Local proxy: curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=get" -F "target=[target hash]" -F "upload[]=localhost"

    Possible session fixation attack: [exponent]/index.php?expid=123

    Also, there is adminer packaged with exponent, allowing attackers to connect to the database locally from the server once they gained access to the database credentials.

    Also, why can anyone / unauthenticated users upload files at all?

    Also, access to directories such as /cron should be denied completely.

    My final thoughts on this matter: Abandon Exponent CMS, since fixing it and making it secure will take much more time than e.g. adapting and joining the development of any other modern open source CMS. They surely could use more developer talent such as you and you might gain valuable new experiences yourself.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket