exploit the possibilities

e107post.txt

e107post.txt
Posted Aug 31, 2005
Authored by Marc Ruef | Site computec.ch

e107 version 0.6 has an input validation flaw in forum_post.php that allows attackers the ability to create topics in non-existing forums.

tags | advisory, php
MD5 | 3fb74b65e4e22e351796852b4c980788

e107post.txt

Change Mirror Download
Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an
issue in forum_post.php. If you want to create a new topic you will get
to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this
number to whatever he wants to post in non-existing forums. Creating
posts in forums he has no permissions is not possible because a check is
done in line 41. But there is no check if a forum ist exiting or not.
The attacker may be able to mess up the forum/website with spam messages
- Damage correction may be require manual delete and move of affected
posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of
0.7 may also be affected. I made the following simple enhancement of the
if-else statement, to allow postings only in existing forums (and if the
permissions are given). I also sent a bug report earlier this morning to
the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
$row = $sql -> db_Fetch(); extract($row);
if(!check_class($forum_class)){
$ns -> tablerender(LAN_20, "<div
style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}
}else{
require_once(HEADERF);
$ns -> tablerender(LAN_20, "<div
style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack
Tool Kit" (ATK) will provide plugins to determine the existence of this
flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

--
Computer, Technik und Security http://www.computec.ch/
Meine private Webseite http://www.computec.ch/mruef/
Mein Arbeitgeber http://www.scip.ch/
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close