BID:52328

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Info

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Bugtraq ID:	52328
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 07 2012 12:00AM
Updated:	Mar 07 2012 12:00AM
Credit:	Rob Miller, MWR InfoSecurity
Vulnerable:	Exponent Exponent CMS 2.0.4 Exponent Exponent CMS 2.0

Not Vulnerable:	Exponent Exponent CMS 2.0.5

Discussion

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected.

Exploit / POC

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20"

Solution / Fix

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

References

Exponent CMS 'src' Parameter SQL Injection Vulnerability

References:

Exponent CMS Homepage (Exponent)
Fixes vulnerability with send_reminders.php (github)
Exponent CMS SQL Injection (MWR InfoSecurity Advisory)