[Full-disclosure] e107 CMS Multiple Vulnerabilities
Justin Klein Keane
justin at madirish.net
Sun Aug 22 21:29:41 BST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Details of this report may also be found at
Description of Vulnerability:
e107 (http://e107.org) is a PHP/MySQL based content management system.
e107 allows anonymous users to submit news items for display on the
front page. These items enter a queue for review by admins and are
subsequently approved or rejected.
e107 suffers from cross site scripting (XSS) vulnerabilities because it
fails to properly sanitize user supplied input when rendering submitted
news item titles for administrative review. Malicious users can submit
news at the default submitnews.php URL. e107 sanitizes single quotes to
prevent against SQL injection but does not alter double quotes or HTML
after their title and this script would execute silently when an
administrator viewed the approval queue at e107_admin/newspost.php?sn.
e107 suffers from a cross site request forgery (XSRF) vulnerability
because it fails to use a difficult to discover random token in the user
add form located at e107_admin/users.php?create. The token is carried
in a hidden form field 'ac' and is derived from the MD5 hash of the
administrative user accounts create date. When the administrative
account is created the unix timestamp is stored in the MySQL database in
the e107_user.user_pwchange column. Because logged in users can view
the 'Joined' state of the admin user at /user.php?id.1 it is easy to
derive the unix timestamp for the creation date of the account.
e107 0.7.22 was tested and shown to be vulnerable
Unauthenticated users can exploit these vulnerabilities to attack other
users, potentially compromising the e107 service or host.
Upgrade to the latest version of e107 in order to mitigate these
Justin Klein Keane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.