Secunia

Some vulnerabilities and a security issue have been discovered in Exponent CMS, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting, SQL injection attacks and disclose system information.

1) Input passed to the "email" parameter when submitting a message via the Contact module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "id" parameter to index.php (when "action" is set to "view_article" and "module" is set to "articlemodule") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) Input passed to the "u" parameter in modules/slideshowmodule/slideshow.js.php, "url" parameter in exponent/external/magpierss/scripts/magpie_debug.php and exponent/external/magpierss/scripts/magpie_simple.php, and "rss_url" parameter in exponent/external/magpierss/scripts/magpie_slashbox.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

NOTE: Other scripts may also be affected.

4) Input passed via the "module" parameter to mod_preview.php is not properly verified before being used to read file contents. This can be exploited to access arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

NOTE: Other scripts may also be affected.

5) The application incorrectly restricts access to modules/filemanagermodule/actions/picker.php. This can be exploited by malicious users to upload and execute PHP files.

NOTE: Other scripts may also be affected.

The vulnerabilities are confirmed in version 0.97-GA20090213. Other versions may also be affected.

Solution
Upgrade to version 2.0.0pr2, which fixes vulnerabilities #1, #2, and #5 and partially fixes vulnerability #3.

Provided and/or discovered by
1) Ivan Markovic, Network Security Solutions
2) TuRcO
3) Andrei Rimsa Alvares
3, 4, 5) Gjoko Krstic, Zero Science Labs

Changelog
Further details available in Customer Area

Original Advisory
Exponent CMS:
http://www.exponentcms.org/news/showByTitle/title/exponent-cms-and-a-push-for-the-future/src/@random4cd2029e6042b

Andrei Rimsa Alvares:
http://archives.neohapsis.com/archives/bugtraq/2010-07/0049.html

Zero Science Labs:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Deep Links
Links available in Customer Area