exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

e107 2.0 Alpha2 Cross Site Request Forgery

e107 2.0 Alpha2 Cross Site Request Forgery
Posted Dec 28, 2014
Authored by Steffen Roesemann

e107 version 2.0 Alpha2 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | bad61a5b36dfc08f099a0a7d28c918469e1cbd3bab12b139ef9c31a2aaffc113
Download | Favorite | View

e107 2.0 Alpha2 Cross Site Request Forgery

Change Mirror Download
Advisory: CSRF vulnerability in CMS e107 v.2 alpha2
Advisory ID: SROEADV-2014-04
Author: Steffen Rösemann
Affected Software: CMS e107 v.2 alpha2 (Release-Date: 08th-Jun-2014)
Vendor URL: http://e107.org
Vendor Status: solved
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System e107 v.2 alpha2 allows an attacker to become
an administrative user (without rights) when tricking the admin into
executing a CSRF-vulnerable URL including the attackers user-id.

==================
Technical Details:
==================

The administrative backend of e107 v.2 alpha2 provides the functionality to
put a user instant in the administrators group by using the following url
when the administrator is already logged in:

http://{DOMAIN/HOSTNAME}/e107_admin/users.php?mode=main&action=admin&id={ID}

An attacker could try to abuse this in convincing the admin to execute a
link which contains the id of the attackers user-account or trick him to go
on a page the attacker controls where this URL is opened (e.g. in a hidden
iframe) while the admin is logged in.

The attacker knows his own id because it is shown on his user profile:

http://{DOMAIN/HOSTNAME}/user.php?id.{ID}

Although the attacker would not instant gain any rights it is a security
issue.

Combined with clickjacking and/or other social engineering attacks this
issue could be expanded to gain such elevated rights.

=========
Solution:
=========

Install the latest patch from the github repository (see below).


====================
Disclosure Timeline:
====================
22-Dec-2014 – found the vulnerability
22-Dec-2014 - informed the developers
26-Dec-2014 – release date of this security advisory [without technical
details]
27-Dec-2014 – vendor responded and provided a patch
28-Dec-2014 – release date of this security advisory
28-Dec-2014 – post on Bugtraq / FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

http://e107.org
https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080
http://sroesemann.blogspot.de


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close