Try a 'Fresh Fix' for 2016 Exponent CMS Forums Back Up!

Security Notice: Closing an Exponent Security Vulnerability

Thursday, January 14, 2016 Tags: security

We've been notified of a security vulnerability which could compromise your Exponent CMS installation. This vulnerability applies to all versions of Exponent 2.x up to v2.3.7 patch #2. The immediate fix is to rename the /install folder to something else, or remove/delete it. Though we've been working hard to close Cross-Site Scripting (XSS) vulnerabilities, this one could be more permanent and seems to result from an anomaly within PHP which allows a string variable to be internally interpreted and processed as an array thereby masking the payload.

To see if your site has been infected, you'll need to view the /conf/config.php file in older versions or the /framework/conf/config.php in newer installations. If infected, you will find an additional line at or near the bottom of that file which is not simply a 'define', but will have two commands on the same line separated by a semi-colon with the remainder of the line commented out. Normally a line in config.php would look something like:

define("DB_ENGINE",'mysqli');

however, an infected line would look similar to:

define("",""); PASSTHRU($_GET[",'"]); // ');

The immediate fix to this type infection is to remove/delete the affected line from the config.php file

We'll be shipping a formal fix to this vulnerability within a few days. This patch #3 to v2.3.7 will also include the entire '/install' folder to ensure your v2.3.7 site can be upgraded. The /install folder is needed not only for installations, but is also used for version upgrades, or for running an upgrade script from the Exponent/Super-Admin menu.

Try a 'Fresh Fix' for 2016 Exponent CMS Forums Back Up!

Join the Exponent Community
: Like Exponent CMS on Facebook; Follow Exponent CMS on Twitter

Forum Activity

Jan 01, 2024 @ 06:24 PM by dleffler v3.0.1patch3 released to update v3.0.0rc1/v3.0.1patch1 | Announcements
Jan 01, 2024 @ 06:22 PM by dleffler v2.7.1patch2 released to fix anomalies with v2.7.1 release | Announcements
May 31, 2023 @ 08:52 PM by dleffler v3.0.1patch2 released to update v3.0.0rc1/v3.0.1patch1 | Announcements
May 31, 2023 @ 08:50 PM by dleffler v2.7.1patch1 released to fix anomalies with v2.7.1 release | Announcements
Mar 07, 2023 @ 07:41 PM by dleffler v3.0.1patch1 released to update v3.0.0rc1 to v3.0.1 and fix anomalies with that release | Announcements
Mar 07, 2023 @ 07:14 PM by dleffler v2.7.1patch1 released to fix anomalies with v2.7.1 release | Announcements

File a Bug Report

Help Improve Exponent

Who Did This?

Exponent CMS is written and maintained by Online Innovative Creations (OIC Group, Inc.), a Peoria web design and development company. OIC Group, Inc. specializes in a wide range of web-based solutions for enterprise-level organizations and local businesses in Peoria. Learn more about this Peoria web design company. Spanning from custom website design and development to local SEO and social media marketing, OIC Group, Inc. is full-service web marketing firm that offers a wealth of solutions.

As the creator of Exponent CMS, OIC Group, Inc. offer fully-custom web design and development programs. To view examples of the company's work, visit the local website design portfolio to see both local and enterprise-level websites that OIC has created. In addition to search engine friendly websites, other specialties of OIC Group, Inc. include website optimization, conversion rate optimization, social media marketing, PPC advertising and Google Ads, local SEO and ecommerce SEO services.

If you're looking for ways to improve the potential of your Exponent CMS website, connect with Exponent CMS on Google+. To stay abreast various ways to better optimize your Exponent CMS website, follow OIC Group web design on Facebook.