Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
Summary
| Name | Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE) |
| Code name | Dylan |
| Product | Exponent CMS |
| Affected versions | v2.6.0 patch2 |
| State | Public |
| Release Date | 2022-02-03 |
Vulnerability
| Kind | Insecure file upload (RCE) |
| Rule | 027. Insecure file upload |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVSSv3 Base Score | 9.1 |
| Exploit available | No |
| CVE ID(s) | CVE-2022-23048 |
Description
Exponent CMS 2.6.0 patch2 allows an authenticated admin user to upload
a malicious extension in the format of a zip file with a php file inside it.
After upload it, the php file will be placed at themes/simpletheme/{rce}.php
from where can be access in order to execute commands.
Proof of Concept
-
Click on the Exponent logo located on the upper left corner.
-
Go to 'Super-Admin Tools' > 'Extensions' > 'Install Extension'.
-
Click on 'Upload Extension'.
-
Create a malicious PHP file with the following PoC.
<?php echo system($_GET['cmd']); ?> -
Zip the php file.
-
Upload the zip file.
-
Click on 'Upload Extension'
-
Next, click on 'Continue with Installation'.
-
Go to
http://127.0.0.1/exponentcms/themes/simpletheme/{rce}.phpin order to execute commands.
System Information:
- Version: Exponent CMS 2.6.0 patch2.
- Operating System: Linux.
- Web Server: Apache
- PHP Version: 7.4
- Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
Credits
The vulnerability was discovered by Oscar
Uribe from the Offensive
Team of Fluid Attacks.
References
Vendor page https://www.exponentcms.org/
Ticket https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460
Issue https://github.com/exponentcms/exponent-cms/issues/1546
Timeline
2022-01-24
Vulnerability discovered.
2022-01-24
Vendor contacted.
2022-02-03
Public Disclosure.

