Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
9.1
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Exponent CMS 2.6.0 patch2 - Insecure file upload (RCE)
Code name
State
Public
Release date
Feb 3, 2022
Affected product
Exponent CMS
Affected version(s)
v2.6.0 patch2
Vulnerability name
Insecure file upload (RCE)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
9.1
Exploit available
No
CVE ID(s)
Description
Exponent CMS 2.6.0 patch2 allows an authenticated admin user to upload a malicious extension in the format of a zip file with a php file inside it. After upload it, the php file will be placed at themes/simpletheme/{rce}.php from where can be access in order to execute commands.
Proof of Concept
Click on the Exponent logo located on the upper left corner.
Go to 'Super-Admin Tools' > 'Extensions' > 'Install Extension'.
Click on 'Upload Extension'.
Create a malicious PHP file with the following PoC.
Zip the php file.
Upload the zip file.
Click on 'Upload Extension'
Next, click on 'Continue with Installation'.
Go to
http://127.0.0.1/exponentcms/themes/simpletheme/{rce}.phpin order to execute commands.
System Information:
Version: Exponent CMS 2.6.0 patch2.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-02-03 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
Jan 24, 2022
Vendor contacted
Jan 24, 2022
Public disclosure
Feb 3, 2022
