#1347 new
Sachin Wagh

Exponent CMS 2.3.7 - Command Execution Vulnerability

Reported by Sachin Wagh | January 30th, 2016 @ 03:39 PM | in User issues

Description:

Exponent CMS → 2.3.7 suffers from an unauthenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification of elfinder's manager. This can be exploited to execute arbitrary PHP code by creating or uploading a malicious PHP script file that will be stored in '/files' directory.

Please find attached POC.

Below URL's allows unauthenticated attacker to create file(sachin) in '/files' directory.

http://localhost/exponent-2.3.7/framework/modules/file/connector/el...

Credit:

Sachin Wagh(@tiger_tigerboy)

Comments and changes to this ticket

  • Sachin Wagh

    Sachin Wagh January 31st, 2016 @ 04:04 PM

    Hi dleffler,

    I achieved this through File Manager. It allows to upload .php file and you can access it through http://localhost/exponent-2.3.7/files/$filename$.php

    It allows to execute system level command as shown in the POC.

    The interesting part is that once its uploaded unauthenticated user can also access same file and execute malicious command.

    Thanks a lot.

  • Sachin Wagh

    Sachin Wagh February 1st, 2016 @ 06:44 AM

    • Assigned user set to “expNinja”

    Hi,

    Please find attached POC video.

    Thanks.

  • Sachin Wagh

    Sachin Wagh February 1st, 2016 @ 04:34 PM

    Hi dleffler,

    Agree for below point

    "the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache"

    If you access '/files/' it's giving error as expected.

    But if you access '/files/$uploaded_file$.php' it will not giving any error (e.g authorized failed/page not found/bad request) even user is not login to the application.Uploaded scripts gets executed.

    Thanks a lot.

  • Sachin Wagh

    Sachin Wagh February 3rd, 2016 @ 07:09 PM

    Hi dleffler,

    Any update on this.

    Thanks.

    Best Regards,

    Sachin Wagh.

  • Sachin Wagh

    Sachin Wagh February 10th, 2016 @ 02:04 PM

    Hi dleffler,

    I verified again. It is possible to execute PHP script.After uploading PHP script if you access directly as http://www.example.com/files/shell.php.

    Thanks.

    Best Regards,

    Sachin Wagh

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Attachments

Tags

Pages