Exponentcms Exponent CMS → 2.4.1

Comments and changes to this ticket

• 

  dleffler January 30th, 2016 @ 06:01 PM

  • Tag set to “security”
  • Assigned user cleared.

  I will acknowledge this will allow creating a NEW EMPTY file, however the .htaccess file in that folder will NOT ALLOW .php script execution (nor these file types: .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .html .shtml .sh .cgi).

  Not sure how you would be able to accomplish what is seen in 1.RCE.png & 2.RCE.png, since it won't allow running that script and you'd even have to be an authorized user to even get that file into the folder anyway.

  The command doesn't allow overwriting files within the folder either, so you can't damage anything in their already.

  Are you running on a server other than apache?

• You flagged this item as spam.
  

  Sachin Wagh January 31st, 2016 @ 04:04 PM

  Hi dleffler,

  I achieved this through File Manager. It allows to upload .php file and you can access it through http://localhost/exponent-2.3.7/files/$filename$.php

  It allows to execute system level command as shown in the POC.

  The interesting part is that once its uploaded unauthenticated user can also access same file and execute malicious command.

  Thanks a lot.

• 

  dleffler January 31st, 2016 @ 06:22 PM

  I'm sorry I can not reproduce this since the (apache) .htaccess will NOT allow script execution in the /files folder structure (nor /tmp).

  We will admit there is a certain amount of security compromised whenever an administrator grants the user a 'create' or 'edit' permission which allows them to upload images (and thus upload files) (unless this permission is specifically removed via group permissions) none-the-less, no script can be run from either the /tmp nor the /files folder(s).

  Are you perhaps running this on another web server (nginx, lighttpd, or IIS) which we do not actually support nor ship server configuration files for?

• You flagged this item as spam.
  

  Sachin Wagh February 1st, 2016 @ 06:44 AM

  • Assigned user set to “expNinja”

  Hi,

  Please find attached POC video.

  Thanks.

  • Code_Execution.avi 3.9 MB
• 

  dleffler February 1st, 2016 @ 04:18 PM

  • Assigned user changed from “expNinja” to “dleffler”

  I follow what you are attempting to communicate in the attached video. But again, I must reiterate that what you are demonstrating is a mis-configured/unsecure apache server (also my assumption from the video folder path is you are running xampp locally, which is using apache, version unknown)

  • the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache
  • again, the .htaccess file we ship with Exponent will not allow running scripts within /files

  I have verified several times both locally and on an active site that the .htaccess configuration is working as expected and will kick the server to request the main/home page

  If you have an issue it is with the xampp package or apache itself...OR your package extraction under windows failed to extract the 'dot' files correctly

• You flagged this item as spam.
  

  Sachin Wagh February 1st, 2016 @ 04:34 PM

  Hi dleffler,

  Agree for below point

  "the 'page not found' exponent message is due to attempting to open a folder which the main .htaccess file has the server kick over as a 404 error. This is expected behavior with an attempt to open any 'folder' path within the exponent folder system under apache"

  If you access '/files/' it's giving error as expected.

  But if you access '/files/$uploaded_file$.php' it will not giving any error (e.g authorized failed/page not found/bad request) even user is not login to the application.Uploaded scripts gets executed.

  Thanks a lot.

• You flagged this item as spam.
  

  Sachin Wagh February 3rd, 2016 @ 07:09 PM

  Hi dleffler,

  Any update on this.

  Thanks.

  Best Regards,

  Sachin Wagh.

• 

  dleffler February 3rd, 2016 @ 08:20 PM

  • Milestone set to “User issues”

  As before, what you are demonstrating is either:

  • the .htaccess files in the /files folder is/are missing or are not the ones shipped with Exponent
  • (or), you are attempting to run this on a non-apache server which we do not ship configuration files for (I don't think this is your test case)
  • (or), you are demonstrating an apache web server bug, which would best be logged/fixed with apache

  In a properly configured and working apache server, the .htaccess file within the /files folder will prevent any script (esp. a .php script) from being executed and will load the home page

• You flagged this item as spam.
  

  Sachin Wagh February 10th, 2016 @ 02:04 PM

  Hi dleffler,

  I verified again. It is possible to execute PHP script.After uploading PHP script if you access directly as http://www.example.com/files/shell.php.

  Thanks.

  Best Regards,

  Sachin Wagh

• 

  dleffler May 2nd, 2016 @ 08:35 PM

  • Milestone cleared.

  [bulk edit]

• 

  dleffler December 15th, 2016 @ 11:42 AM

  • State changed from “new” to “resolved”
  • Milestone set to “2.4.1”

  This issue was further prevents by a recent code push to filter all uploads