
Exponent CMS 2.3.7 - Command Execution Vulnerability
Reported by Sachin Wagh | January 30th, 2016 @ 03:39 PM | in 2.4.1 (closed)
Description:
Exponent CMS → 2.3.7 suffers from an unauthenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification of elfinder's manager. This can be exploited to execute arbitrary PHP code by creating or uploading a malicious PHP script file that will be stored in '/files' directory.
Please find attached POC.
Below URL's allows unauthenticated attacker to create file(sachin) in '/files' directory.
http://localhost/exponent-2.3.7/framework/modules/file/connector/el...
Credit:
Sachin Wagh(@tiger_tigerboy)
Comments and changes to this ticket
-
dleffler January 30th, 2016 @ 06:01 PM
- Tag set to security
- Assigned user cleared.
I will acknowledge this will allow creating a NEW EMPTY file, however the .htaccess file in that folder will NOT ALLOW .php script execution (nor these file types: .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .html .shtml .sh .cgi).
Not sure how you would be able to accomplish what is seen in 1.RCE.png & 2.RCE.png, since it won't allow running that script and you'd even have to be an authorized user to even get that file into the folder anyway.
The command doesn't allow overwriting files within the folder either, so you can't damage anything in their already.
Are you running on a server other than apache?
-
Sachin Wagh January 31st, 2016 @ 04:04 PM
Hi dleffler,
I achieved this through File Manager. It allows to upload .php file and you can access it through http://localhost/exponent-2.3.7/files/$filename$.php
It allows to execute system level command as shown in the POC.
The interesting part is that once its uploaded unauthenticated user can also access same file and execute malicious command.
Thanks a lot.
-
dleffler January 31st, 2016 @ 06:22 PM
I'm sorry I can not reproduce this since the (apache) .htaccess will NOT allow script execution in the /files folder structure (nor /tmp).
We will admit there is a certain amount of security compromised whenever an administrator grants the user a 'create' or 'edit' permission which allows them to upload images (and thus upload files) (unless this permission is specifically removed via group permissions) none-the-less, no script can be run from either the /tmp nor the /files folder(s).
Are you perhaps running this on another web server (nginx, lighttpd, or IIS) which we do not actually support nor ship server configuration files for?
-
Sachin Wagh February 1st, 2016 @ 06:44 AM
- Assigned user set to expNinja
Hi,
Please find attached POC video.
Thanks.
-
dleffler February 1st, 2016 @ 04:18 PM
- Assigned user changed from expNinja to dleffler
I follow what you are attempting to communicate in the attached video. But again, I must reiterate that what you are demonstrating is a mis-configured/unsecure apache server (also my assumption from the video folder path is you are running xampp locally, which is using apache, version unknown)
- the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache
- again, the .htaccess file we ship with Exponent will not allow running scripts within /files
I have verified several times both locally and on an active site that the .htaccess configuration is working as expected and will kick the server to request the main/home page
If you have an issue it is with the xampp package or apache itself...OR your package extraction under windows failed to extract the 'dot' files correctly
-
Sachin Wagh February 1st, 2016 @ 04:34 PM
Hi dleffler,
Agree for below point
"the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache"
If you access '/files/' it's giving error as expected.
But if you access '/files/$uploaded_file$.php' it will not giving any error (e.g authorized failed/page not found/bad request) even user is not login to the application.Uploaded scripts gets executed.
Thanks a lot.
-
Sachin Wagh February 3rd, 2016 @ 07:09 PM
Hi dleffler,
Any update on this.
Thanks.
Best Regards,
Sachin Wagh.
-
dleffler February 3rd, 2016 @ 08:20 PM
- Milestone set to User issues
As before, what you are demonstrating is either:
- the .htaccess files in the /files folder is/are missing or are not the ones shipped with Exponent
- (or), you are attempting to run this on a non-apache server which we do not ship configuration files for (I don't think this is your test case)
- (or), you are demonstrating an apache web server bug, which would best be logged/fixed with apache
In a properly configured and working apache server, the .htaccess file within the /files folder will prevent any script (esp. a .php script) from being executed and will load the home page
-
Sachin Wagh February 10th, 2016 @ 02:04 PM
Hi dleffler,
I verified again. It is possible to execute PHP script.After uploading PHP script if you access directly as http://www.example.com/files/shell.php.
Thanks.
Best Regards,
Sachin Wagh
-
-
dleffler December 15th, 2016 @ 11:42 AM
- State changed from new to resolved
- Milestone set to 2.4.1
This issue was further prevents by a recent code push to filter all uploads
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS