exploit the possibilities

e107post.txt

e107post.txt
Posted Aug 31, 2005
Authored by Marc Ruef | Site computec.ch

e107 version 0.6 has an input validation flaw in forum_post.php that allows attackers the ability to create topics in non-existing forums.

tags | advisory, php
MD5 | 3fb74b65e4e22e351796852b4c980788

e107post.txt

Change Mirror Download
Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an
issue in forum_post.php. If you want to create a new topic you will get
to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this
number to whatever he wants to post in non-existing forums. Creating
posts in forums he has no permissions is not possible because a check is
done in line 41. But there is no check if a forum ist exiting or not.
The attacker may be able to mess up the forum/website with spam messages
- Damage correction may be require manual delete and move of affected
posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of
0.7 may also be affected. I made the following simple enhancement of the
if-else statement, to allow postings only in existing forums (and if the
permissions are given). I also sent a bug report earlier this morning to
the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
$row = $sql -> db_Fetch(); extract($row);
if(!check_class($forum_class)){
$ns -> tablerender(LAN_20, "<div
style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}
}else{
require_once(HEADERF);
$ns -> tablerender(LAN_20, "<div
style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack
Tool Kit" (ATK) will provide plugins to determine the existence of this
flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

--
Computer, Technik und Security http://www.computec.ch/
Meine private Webseite http://www.computec.ch/mruef/
Mein Arbeitgeber http://www.scip.ch/
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close