<<< Date Index >>>     <<< Thread Index >>>

e107 0.6 forum_post.php create new topics in non-existing forums



Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an issue in forum_post.php. If you want to create a new topic you will get to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this number to whatever he wants to post in non-existing forums. Creating posts in forums he has no permissions is not possible because a check is done in line 41. But there is no check if a forum ist exiting or not. The attacker may be able to mess up the forum/website with spam messages - Damage correction may be require manual delete and move of affected posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of 0.7 may also be affected. I made the following simple enhancement of the if-else statement, to allow postings only in existing forums (and if the permissions are given). I also sent a bug report earlier this morning to the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
        $row = $sql -> db_Fetch(); extract($row);
        if(!check_class($forum_class)){
$ns -> tablerender(LAN_20, "<div style='text-align:center'>".LAN_399."</div>");
                require_once(FOOTERF);
                exit;
        }
}else{
                require_once(HEADERF);
$ns -> tablerender(LAN_20, "<div style='text-align:center'>".LAN_399."</div>");
                require_once(FOOTERF);
                exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack Tool Kit" (ATK) will provide plugins to determine the existence of this flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

--
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/
Mein Arbeitgeber                                    http://www.scip.ch/