what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 7, 2005
Authored by Marc Ruef | Site scip.ch

e107 version 0.6 is susceptible to a voting manipulation flaw in rate.php.

tags | advisory, php
SHA-256 | 95e0984c729ea5ba5d733100805fd95305beec52393b661132040af4778c98bb


Change Mirror Download
Hash: SHA1

e107 v0.6 rate.php voting manipulation and forwarding vulnerability

scip AG Vulnerability Advisory (11/10/2005)


e107 is the name of an open-source content management system (cms) that
relies on php and sql.

More Information are available at the official project web site:



Marc Ruef detected two flaws in rate.php. This file is responsible for
the votes of the users to rate content (e.g. the downloads). This voting
is served by default with an option combobox in download.php for
example. If the user has already rated a content, his user id is saved
to the table e107_rate in the according rate data set.

If an user is opening a download over download.php, the php script
checks in the background if the user has already voted yet. If not, so
the user id is not remarked in the rate data set, the option combobox is
shown - If he has already voted, a place holder text string is used.
This pre-detection tries to defend against multiple votes.

If an user selected a value in the option combobox, the browser connects
to rate.php and sends the rating data to this script as an HTTP GET
query string. The first problem relies in the possibility of reply
attacks. An attacker is able to call this rate.php url again and again
(e.g. using the direct link and not relying the real user web frontend
in download.php). Thus, a manipulation of the votes may be possible.
Because in the default installation of the software the web frontend
does not show who has already voted, a deeper investigation on the
database would be nescessary.

Furthermore the same php script is vulnerable to a simple
redirection/forwarding attack. If an user is rating a content, he is
opening the php script rate.php with some data in the HTTP GET query
string variable. One of the data provided is the destination directory
after successfull rating. An attacker may be able to create a malicous
url and forward a victim to a potential dangerous content.

It is very important to remark that in the default installation always
the variable e_BASE is set before the forwarding url. In this string the
base address of the web site is saved (e.g. http://www.scip.ch). So an
attacker is just able to define the directory names, file names and HTTP
GET query string variables. A possible scenario for misuse may a social
engineering attack or cross site scripting attempt. These always rely on
the flaw in other parts of the web site.


The following example url let us to vote for the content "download" with
the id "42" every time we are accessing this url. The last integer
defines the rate value (between 1 and 10).


The following example url let us to vote for a content and afterwards we
are forwarded to the script /etc/passwd. All the other data is still
used for the rating procedure (e.g. saving the new value in the rate



Manipulation of ratings is not a real security problem for environments
using e107. But is is a real threat for the reliability and integrity of
all the ratings within e107. An attacker may be able to compromise a
rating contest by voting multiple times for not liked or very liked

The possibility of the forwarding attack may gain elevated privileges
for an attacker, as long as he is possible to exploit another
vulnerability on the target web server. Due the fact just the
destination directory can be defined, no cross plattform attacks are


Slight changes on the code of the affected php code may be able to
detect and prevent the successfully attack. See VI for more technical


The e107 team has provided a bugfix for the new release 0.7 in the CVS.

To prevent multiple votes in earlier versions the following lines should
be added to rate.php. These check once again, if the user has already
voted or not. If this is a multiple rating attempt, a forwarding to the
web site without adding the new data to the rate table is used instead.

$rater = new rater;
if(!$rater -> checkrated($qs[0], $qs[1]) == FALSE){

The workaround for a false redirection can be handled by comparing the
data for the data base and the forwarding data (e.g. if the table
download is used then the forwarding should go to download.php anyway).
If they are not the same, the forwarding should not be used. Due the
fact in e107 prior 0.7 ratings for downloads are possible only, adding
the following line in rate.php will override any other forwarding url.

$qs[2] = e_BASE."download.php?view.".$qs[1];

Please be aware, these code lines are just suggestions and not official


The e107 team was aware of the flaws for a long time. Due the fact the
risk of the successfull exploitation was very low, no further
countermeasures were implemented. But at this time at least the flaw of
the multiple ratings has been eliminated. See VI for more details.


scip AG Vulnerability Database (german)

computec.ch document data base (german)


02/08/2005 First detection of the flaw by Marc Ruef
08/23/2005 Semi-public announcement of the flaw in the computec.ch forum
by Disenchant
11/07/2005 Technical analysis of the problem and developement of
bugfixes by Marc Ruef
26/09/2005 V3 posted the "old" problem of multiple rates in the bugtrack
of e107v7[1]
12/05/2005 Public advisory by Marc Ruef with scip AG


The flaw of the rate reply attack was discovered and analyzed by Marc
Ruef and Sven Vetsch. The vulnerability of the redirection and
forwarding during rating was analyzed by Marc Ruef.

Marc Ruef, scip AG

Sven Vetsch


[1] http://e107.org/e107_plugins/bugtrack/bugtrack.php?1625.show


Copyright (c) 2005 by scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect or consequential loss or damage from use of or reliance
on this advisory.

Version: PGP 8.0
Comment: http://www.scip.ch


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By