Security — Exponent Forums

Security Validation Failed

eVenster — Mon, 07 Nov 2016 13:33:56 +0000

Google recaptcha gives a Security Validation Failed. Exponent 2.4 (p1)

Maybe potential SQL injection

obfusor — Wed, 02 Nov 2016 07:56:03 +0000

I found two potential SQL injections.

0x1 > framework/modules/eaas/controllers/eaasController.php , $key can becontrolled. And in the line 33 of framework/core/models/expConfig.php,$this->location_data can be controlled and injected. It is possible to boolean-based blind SQL Inject by the param of apikey.

[Suggest Fix]: parent::__construct($db->selectValue($this->table, 'id', "location_data='".expString::escape($this->location_data)."'"));

0x2. In the function activate_address of the file framework/modules/addressbook/controllers/addressController.php, $this->params['is_what'] can be controlled and injected. It is possible to do time-based SQL inject by the param 'is_what'.
Although there is expString::escape filter, it can be bypass like is_what= "firstname=0x61 where sleep(10)-- a".

[Suggest Fix]: $is_what should be existed columns ;

Sorry, the previous one is down. I post again.

Maybe There is an possible sql inject.

obfusor — Wed, 26 Oct 2016 16:42:05 +0000

I found a potential sql injection. In the function getPageByName of file framework/core/subsystems/expRouter.php, in the line 707,
Code:$section = $db->selectObject('section', "sef_name='".$url_name."'");
Maybe $url_name could be controlled in line 786, $section = $this->url_style=="sef" ? $this->getPageByName($_REQUEST['section']), which may lead to sql injection.
Suggested Fix:
line 707, file framework/core/subsystems/expRouter.php
$section = $db->selectObject('section', "sef_name='".expString::escape($url_name)."'"); ^-^

Security Vulnerability - All Exponent Versions - September 2016 (Updated)

dleffler — Tue, 13 Sep 2016 00:19:28 +0000

There are several security vulnerabilities in Exponent 2.x found on September 12 and 13, 2016, reported by Manuel Garcia Cardenas and PKAV TEAM which could allow possible SQL injections. They have been present in all versions of Exponent (2.x). The fix is:

Update to the latest version (v2.3.9) and the latest patch (v2.3.9patch1) which will be released around September 13th. This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch14). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch11). If you are already running v2.1.4, you'll want to install this patch. It should be noted that v2.1.4 will NOT run on any of the currently maintained versions of PHP (v5.6 and v7.0).
There is no manual method,

Updated Patches released for v2.1.4 and v2.2.3 - September 2016 (Updated)

dleffler — Tue, 13 Sep 2016 00:21:25 +0000

Though they are both extremely old versions, with v2.1.4 no longer running on the maintained releases of PHP (v5.6 and v7.0), they were the release before a major version change and are/may still be in use. Please bear in mind we strongly recommend your installations be updated to a much newer version which contains many more fixes and new features. Having said that, these patches (v2.1.4patch11 and v2.2.3patch14) fix security vulnerabilities reported by Manuel Garcia Cardenas and PKAV TEAM which could allow possible SQL injections.

You can find the patches here.

Updated Patches released for v2.1.4 and v2.2.3 - August 2016

dleffler — Fri, 02 Sep 2016 03:52:31 +0000

Though they are both extremely old versions, they were the release before a major version change and are/may still be in use. Please bear in mind we strongly recommend your installations be updated to a much newer version which contains many more fixes and new features. Having said that, these patches (v2.1.4patch9 and v2.2.3patch12) fix a security vulnerability reported by Balisong which might allow uploaded scripts to be executed.

You can find the patches here.

Security Vulnerability - All Exponent Versions - August 2016

dleffler — Fri, 02 Sep 2016 03:51:38 +0000

There is a security vulnerability in Exponent 2.x found on August 26, 2016 reported by Balisong which could allow uploaded scripts to be executed. It has been present in all versions of Exponent (2.x). The fix is:

Update to the latest version (v2.3.9) which will be released around September 1st. This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch12). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch9). If you are already running v2.1.4, you'll want to install this patch.
There is no easy manual method, but in simple terms we update/add the .htaccess files into the /files and /tmp folders and their subfolders

Security Vulnerability - All Exponent Versions - June 2016

dleffler — Fri, 03 Jun 2016 14:13:13 +0000

There are two security vulnerabilities in Exponent 2.x found on June 1, 2016. The first has been present in all versions of Exponent (2.x), and the second is found in all versions since and including v2.1.0. The fix(es) is:

Update to the latest version (v2.3.8) and install the latest patch (v2.3.8patch3). This is the recommended fix since it also addresses several security issues and other fixes not addressed in the patches to v2.2.3 nor v2.1.4.
If running a version 2.2.x installation and not wanting to update to the latest version, you should update to v2.2.3 (last release before major version update to v2.3.x) and install its latest patch (v2.2.3patch11). If you are already running v2.2.3, you'll want to install this patch to also correct some other issues.
If running a version prior to v2.2.0 (v2.0.x or v2.1.x) installation and not wanting to update to the latest version, you should update to v2.1.4 (last release before major version update to v2.2.x) and install its latest patch (v2.1.4patch8). If you are already running v2.1.4, you'll want to install this patch.
If you are unwilling to update to a newer version or the current version, you must delete these two files:

/external/adminer/admin.php - which will disable the built-in database manager
/framework/modules/pixidou/download.php - this file was never used by Exponent

Is it ok to delete / comment out Options -ExecCGI ?

generare — Fri, 26 Sep 2014 22:36:00 +0000

Is it ok to comment out Options -ExecCGI
in htaccess file in the folder of "files"?

Or should we rather find out why the server won't accept this line? It is giving an exact error that the line is accepted in the server.

View article...