Exponent CMS 2.4.1 Patch 1 - Unrestricted File Upload Vulnerability

[exponentcms]

As it has already been pointed out (https://exponentcms.lighthouseapp.com/projects/61783/tickets/1402-exponent-cms-240-patch-5-unrestricted-file-upload-vulnerability-in-expfilephp#ticket-1402-5), a blacklisting approach towards preventing malicious executable file uploads is not secure.

Each apache configuration is different and thus each server requires a different blacklist.

E.g. some servers - such as http://exponent.org - are configured with "AddType application/x-httpd-php .php2" which is not covered by the blacklist. Therefore, on such servers, malicious .php2-files can be uploaded and executed.

Actually, any file extension such as ".myscript", ".exponent" or ".blabla" could have a handler attached.

I continue to recommend a whitelisting approach.

[exponentcms]

We did switch to whitelisted uploads as you requested in v2.4.1. Though the approach differs in the 'exponent' based uploads and elFinder uploads, they are both matched against the same list of mimetypes. And for files uploaded outside of elFinder, they are parsed through the class.upload library as you suggested.

[exponentcms]

Matching against mimetypes via finfo provides no safety against uploading malicious files, see e.g. http://php.net/manual/en/function.finfo-file.php#75275

Example: uploading a file whose contents starts with "x<?php " is regarded as "plain/text".

[exponentcms]

You will have to provide a specific example and how (which upload method). FWIW, exponent.org is not running a current version of software yet.

[exponentcms]

curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=upload" -F "target=l1_" -F "upload[]=@/path/to/malicious.php2"

Apache/2.4.18 (Ubuntu) on Ubuntu 16.04 LTS running Exponent CMS v2.4.1 Patch #1

[exponentcms]

The class.upload library suffers from the same vulnerability:

curl "[exponent]/framework/modules/file/connector/uploader_tinymce.php" -F "file=@/path/to/malicious.php2"

In this case however, malicious.php2 must have a mimetype which is either "text/rtf" or does not start with "text/".

This can easily be achieved by e.g. prepending the content of malicious.php2 with "{\rtf1\ansi{\fonttbl\f0\fswiss Helvetica;}\f0\pard".

I could verify the vulnerability on my local installation (see my last reply for version info). The exponent website linked in your github profile seems to be one of the only ones on the web running a current Exponent CMS v2.4.1 patch #1 and is not vulnerable due to your apache configuration (I tested uploading php files containing "<?php phpinfo(); ?>").

I am unfortunately not surprised that http://exponentcms.org is running an outdated vulnerable version, which actually puts all downloaders of Exponent CMS at high risk. Even though you @dleffler put a lot of work in this CMS, there seems to be no userbase, no developer community and no professional backing (is oicgroup defunct?). Exponent CMS has a huge legacy codebase which IMHO is really too big to be maintained and advanced by yourself alone.

There are more vulnerabilities in Exponent CMS, such as local proxies, open redirects etc. but I don't have time to sift through all the code.

Here a few things that I spotted:

Open redirect: [exponent]/external/phpThumb/phpThumb.php?src=http://exponentcms.org:a@maliciousdomain.com/malicious.jpg

Local proxy: curl "[exponent]/framework/modules/file/connector/elfinder.php" -F "cmd=get" -F "target=[target hash]" -F "upload[]=localhost"

Possible session fixation attack: [exponent]/index.php?expid=123

Also, there is adminer packaged with exponent, allowing attackers to connect to the database locally from the server once they gained access to the database credentials.

Also, why can anyone / unauthenticated users upload files at all?

Also, access to directories such as /cron should be denied completely.

My final thoughts on this matter: Abandon Exponent CMS, since fixing it and making it secure will take much more time than e.g. adapting and joining the development of any other modern open source CMS. They surely could use more developer talent such as you and you might gain valuable new experiences yourself.

[exponentcms]

Lighthouse URL: https://exponentcms.lighthouseapp.com/projects/61783/tickets/1405