Security Notice: Closing an Exponent Security Vulnerability

Thursday, January 14, 2016 Tags: security

We've been notified of a security vulnerability which could compromise your Exponent CMS installation.  This vulnerability applies to all versions of Exponent 2.x up to v2.3.7 patch #2.  The immediate fix is to rename the /install folder to something else, or remove/delete it. Though we've been working hard to close Cross-Site Scripting (XSS) vulnerabilities, this one could be more permanent and seems to result from an anomaly within PHP which allows a string variable to be internally interpreted and processed as an array thereby masking the payload.

To see if your site has been infected, you'll need to view the /conf/config.php file in older versions or the /framework/conf/config.php in newer installations.  If infected, you will find an additional line at or near the bottom of that file which is not simply a 'define', but will have two commands on the same line separated by a semi-colon with the remainder of the line commented out. Normally a line in config.php would look something like:


however, an infected line would look similar to:

define("",""); PASSTHRU($_GET[",'"]); // ');

The immediate fix to this type infection is to remove/delete the affected line from the config.php file

We'll be shipping a formal fix to this vulnerability within a few days.  This patch #3 to v2.3.7 will also include the entire '/install' folder to ensure your v2.3.7 site can be upgraded.  The /install folder is needed not only for installations, but is also used for version upgrades, or for running an upgrade script from the Exponent/Super-Admin menu.