e107 v0.617 several new and old vulnerabilities
Hello,
The e107 is an open-source, PHP and SQL based portal and content
management system[1]. I found some new vulnerabilities in the current
release v0.617. Also some "older" flaws[2] has been re-discovered in
different ways. This email has been sent some months ago to the e107
developers. They fixed some things in their last security bugfix. I am
not shure which things are still remaining.
#######################################################################
* admin.php shows used content management system
The default directory for all the administrative work is called
e107_admin. A connection to the file admin.php without passing any
$QUERY_STRING data shows the plain admin login screen. First of all the
banner of e107 is shown by default. An attacker may use this information
to start specific attacks. This problem is also given in the default
message of sitedown.php shown during maintenance and the print view of
print.php.
* admin.php shows different error messages during authentication
As administrator you have to authenticate by username and password. The
first credential is sent as $QUERY_STRING to the same script. If a
non-existing username or a username without administrative privileges is
specified, the message ADLAN_87 "Administrator name not found in
database " (the last space is really used in the english language
package) is shown. On the other hand if an administrators username has
been specified, the message ADLAN_86 "Incorrect password " is loaded. An
attacker is able to find administrative accounts by manual of automated
brute force attacks.
* README.html gives sensitive information about the installation
By default a documentation directory named e107_docs is installed. An
attacker is able to determine the installed software by opening the file
README.html which shows the handbook of e107. This information is useful
to get in touch with the handling of the content management system.
* Direct opening of plugins php files shows web server path
e107 is a modular and plugin based content management system. All
plugins are usually saved as a sub-directory of the default path
e107_plugins. An attacker may be able to make a direct http request to
some of the plugin files (e.g. admin_menu/admin_menu.php). This will
provocate a debug error message that shows the absolute path of the php
file on the web server:
--- cut ---
Warning: main(e_HANDLERuserclass_class.php): failed to open stream: No
such file or directory in
/home/httpd/www.computec.ch/httpdocs/e107_plugins/admin_menu/admin_menu.php
on line 3
Fatal error: main(): Failed opening required
'e_HANDLERuserclass_class.php' (include_path='.:/usr/share/pear') in
/home/httpd/www.computec.ch/httpdocs/e107_plugins/admin_menu/admin_menu.php
on line 3
--- cut ---
I was able to determine the existence of this flaw in most of the
pre-installed plugins. On the other hand just some of the 3rd party
plugins were not affected. All (of the default) themes in the default
themes directory e107_themes seems to be affected too.
An attacker may use the path message to make a mapping of the directory
of the web server. This information may be useful to start specific
attacks on files and paths.
* Plugin QOTD direct access to the quote file
The additional plugin QOTD by cameron and jailist does provide a small
and handy quote of the day feature. One line in the default file
quote.txt is shown everytime the plugin is loaded. It is possible to
download this quote file directly. An attacker may use this possibility
to create the exact copy of your hardly assembled quotes.
* error.php html injection
The file error.php is used for loading error web site messages (e.g.
404). The problem is send as the http response codes in $QUERY_STRING.
If none of the well-known error codes as like 401, 403, 404 and 500 is
used, a message of an "unknown error" is given. The data used in the
$QUERY_STRING is put directly in the dynamic web site. An attacker is
able to inject simple html code (e.g. bold or italic tags) on the error
site. Complex html tags (e.g. links or images) seems not to be possible.
Also the use of cross site scripting attacks in the tested ways is not
possible.
* usersettings.php html injection
Every registred and logged in user is able to see and change the user
settings with usersettings.php. In this php file some html injection is
possible. This starts with simple changements of texts by using <b> or
<i>. But there are also some complex html tags as like anchor links or
references of external image files possible.
* usersettings.php cross site scripting
Classic cross site scripting with <script> is not possible because the
string "<scri" is always cut off. But it is possible to use <IFRAME
SRC=javascript:alert('XSS')></IFRAME> to cause an xss attack for
example[3, 4].
6. forum_post.php cross site scripting
e107 does also provide a nicely integrated forum and comment system. The
document forum_post.php is used to open new threads or to reply another
posting. Furthermore comment.php is able to show and create comments to
specific parts of the web site (e.g. news, articles or downloads).
Also both php files are vulnerable to some specialized cross site
scripting attacks. The same <IFRAME
SRC=javascript:alert('XSS')></IFRAME> as like in usersettings.php can be
used to create a proof-of-concept. Subject and message text are
vulnerable to this.
#######################################################################
My open-source vulnerability scanner and attack framework "Attack Tool
Kit" (ATK) will provide plugins to determine the existence of this flaws
and to exploit them too[5].
Regards,
Marc
[1] http://www.e107.org
[2] http://www.securityfocus.com/bid/10436
[3] http://www.shocking.com/~rsnake/xss.html
[4] http://www.computec.ch (german source)
[5] http://www.computec.ch/projekte/atk/
--
Computer, Technik und Security http://www.computec.ch/
Meine private Webseite http://www.computec.ch/mruef/
Mein Arbeitgeber http://www.scip.ch/