A number of security issues have been discovered in ExponentCMS ------------------------------------------------------------------------ --------------------- Exponent is a fully-featured, modern CMS written in PHP, that enables non-technical people to manage and update their websites with minimal effort. Exponent is also an attractive development platform for traditional and non-traditional web applications. Exponent can be found at: http://sourceforge.net/projects/exponent/ ------------------------------------------------------------------------ --------------------- Security issues are located in 0.96.3 and higher. 1. js injection in forms. ExponentCMS has a form generator which allows admin to create new forms. Once these forms are used by users it is in most cases possible to craft javascript injections which will be send to the given person. Status: open 2. SQL injections in the navigation module. Problem: Any user who is allowed to change the order of the menu is able to inject sql using a crafted url. PoC: /index.php?action=order&parent=41%20or% 201&a=1&b=0&module=navigationmodule Solution: Typecast values where possible. Status: Fixed in CVS. Together with lots of other modules where no typecasting is used. 3. Path disclosure in the extra Image Gallery module: There is a security issue in the image gallery which can be downloaded apart from the current stable. In the output it shows the path above the document root when placing the preview icons: thumb.php?base=/var/www/site2/exponent-0.96.3/...... Status: Fixed in cvs 4. (XSS) invalid checking of mime type for uploads Exponent, the imagegallery to be specific, lacks mime type checking on the uploads. Therefor the preview icon is shown. On clicking the preview icon shows the source written for the file. Status: open 5. permissions on uploaded files Files uploaded to exponentcms are chmodded with execute rights. In some cases this could lead to code execution by visitors. Status: Fixed in CVS 6. False idea of secure file storage. Users can create a page which is active but not public. They can even set group/person permissions on such a page. The default installation of exponent does not provide a mechanism to prevent people from using a bot to browse for uploaded resources and viewing those who are supposed to be secured behind a login page since they are all stored in the document root. Status: open 7. parsing php through uploaded files Once a user is allowed to upload images it is possible to upload php code and do anything the user apache/webserver is allowed to do (some examples): * view source code of the files. * view and alter sessions of other users (in fact, do anything with the database you want to do. * view the /etc/passwd Status: open 8. XSS bug in the installer Javascript is parsed when added to the url parameters of the installer since there is hardly any user input sanitation. Status: fixed in cvs 9.