e107 0.6 forum_post.php create new topics in non-existing forums

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: e107 0.6 forum_post.php create new topics in non-existing forums
From: Marc Ruef <marc.ruef@xxxxxxxxxxx>
Date: Tue, 30 Aug 2005 09:55:16 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, partners@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.computec.ch/?of
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Hello,

The e107 is an open-source, PHP and SQL based portal and content

management system[1]. The user Tron[2] of my website[3] has detected anissue in forum_post.php. If you want to create a new topic you will getto forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change thisnumber to whatever he wants to post in non-existing forums. Creatingposts in forums he has no permissions is not possible because a check isdone in line 41. But there is no check if a forum ist exiting or not.The attacker may be able to mess up the forum/website with spam messages- Damage correction may be require manual delete and move of affectedposts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of0.7 may also be affected. I made the following simple enhancement of theif-else statement, to allow postings only in existing forums (and if thepermissions are given). I also sent a bug report earlier this morning tothe developement team of e107[4].


--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
        $row = $sql -> db_Fetch(); extract($row);
        if(!check_class($forum_class)){

$ns -> tablerender(LAN_20, "<divstyle='text-align:center'>".LAN_399."</div>");

                require_once(FOOTERF);
                exit;
        }
}else{
                require_once(HEADERF);

$ns -> tablerender(LAN_20, "<divstyle='text-align:center'>".LAN_399."</div>");

                require_once(FOOTERF);
                exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "AttackTool Kit" (ATK) will provide plugins to determine the existence of thisflaw and to exploit it too[5].


Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

--
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/
Mein Arbeitgeber                                    http://www.scip.ch/

Prev by Date: Re: ICMP attacks against TCP: Conclusions
Next by Date: [UNTRUE] Gadu-Gadu supposedly fixed the invisible detection vulnerability?
Previous by thread: [ GLSA 200508-20 ] phpGroupWare: Multiple vulnerabilities
Next by thread: [UNTRUE] Gadu-Gadu supposedly fixed the invisible detection vulnerability?
Index(es):
- Date
- Thread