Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
9,1
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
Code name
State
Public
Release date
3 de fev. de 2022
Affected product
Exponent CMS
Affected version(s)
v2.6.0 patch2
Vulnerability name
Insecure file upload (RCE)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
9.1
Exploit available
No
CVE ID(s)
Description
Exponent CMS 2.6.0 patch2 allows an authenticated admin user to upload a malicious extension in the format of a zip file with a php file inside it. After upload it, the php file will be placed at themes/simpletheme/{rce}.php from where can be access in order to execute commands.
Proof of Concept
Click on the Exponent logo located on the upper left corner.
Go to 'Super-Admin Tools' > 'Extensions' > 'Install Extension'.
Click on 'Upload Extension'.
Create a malicious PHP file with the following PoC.
Zip the php file.
Upload the zip file.
Click on 'Upload Extension'
Next, click on 'Continue with Installation'.
Go to
http://127.0.0.1/exponentcms/themes/simpletheme/{rce}.phpin order to execute commands.
System Information:
Version: Exponent CMS 2.6.0 patch2.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
24 de jan. de 2022
Vendor contacted
24 de jan. de 2022
Public disclosure
3 de fev. de 2022
