#1460 new

Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE Upload new extension)

Reported by Oscar | January 24th, 2022 @ 05:32 PM

Bug description

Exponent CMS 2.6.0 patch2 allows an authenticated admin user to upload a malicious extension in the format of a zip file with a php file inside it.
After uploaded it, the php file will be placed at themes/simpletheme/{rce}.php from where can be accessed to execute commands.

CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSSv3 Base Score: 9.1

Steps to reproduce

  1. Click on the Exponent logo located on the upper left corner.
  2. Go to 'Super-Admin Tools' > 'Extensions' > 'Install Extension'.
  3. Click on 'Upload Extension'.
  4. Create a malicious PHP file with the following PoC.
<?php echo system($_GET['cmd']); ?>
  1. Zip the php file.
  2. Upload the zip file.
  3. Click on 'Upload Extension'
  4. Next, click on 'Continue with Installation'.
  5. Go to{rce}.php in order to execute commands

Attached below are the links to the advisory and our responsible disclosure policy.

System Information

  • Version: Exponent CMS 2.6.0 patch2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Comments and changes to this ticket

  • dleffler

    dleffler February 12th, 2022 @ 09:40 PM

    • Assigned user changed from “expNinja” to “dleffler”

    I'm not sure I follow your logic. A Super-Admin by definition is granted permission to pretty well take down the site any number of ways?

  • Oscar

    Oscar February 17th, 2022 @ 04:12 PM

    Any functionality that allows functions/actions other than those planned are cases of abuse, regardless of the context (the impact is given by the rating). Abuse cases are usually vulnerabilities that need to be fixed.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket