Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)

Summary

NameExponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
Code name
ProductExponent CMS
Affected versionsv2.6.0 patch2
StatePublic
Release date2022-02-03

Vulnerability

KindInsecure file upload (RCE)
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSSv3.1 Base Score9.1
Exploit availableNo
CVE ID(s)

Description

Exponent CMS 2.6.0 patch2 allows an authenticated admin user to upload a malicious extension in the format of a zip file with a php file inside it. After upload it, the php file will be placed at themes/simpletheme/{rce}.php from where can be access in order to execute commands.

Proof of Concept

  1. Click on the Exponent logo located on the upper left corner.

  2. Go to 'Super-Admin Tools' > 'Extensions' > 'Install Extension'.

  3. Click on 'Upload Extension'.

  4. Create a malicious PHP file with the following PoC.

    <?php echo system($_GET['cmd']); ?>
    
  5. Zip the php file.

  6. Upload the zip file.

  7. Click on 'Upload Extension'

  8. Next, click on 'Continue with Installation'.

  9. Go to http://127.0.0.1/exponentcms/themes/simpletheme/{rce}.php in order to execute commands.

System Information:

  • Version: Exponent CMS 2.6.0 patch2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-02-03 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.exponentcms.org/

Ticket https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460

Issue https://github.com/exponentcms/exponent-cms/issues/1546

Timeline

Time-lapse-logo

2022-01-24

Vulnerability discovered.

Time-lapse-logo

2022-01-24

Vendor contacted.

Time-lapse-logo

2022-02-03

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.