-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e107 v0.6 rate.php voting manipulation and forwarding vulnerability scip AG Vulnerability Advisory (11/10/2005) http://www.scip.ch I. INTRODUCTION e107 is the name of an open-source content management system (cms) that relies on php and sql. More Information are available at the official project web site: http://e107.org II. DESCRIPTION Marc Ruef detected two flaws in rate.php. This file is responsible for the votes of the users to rate content (e.g. the downloads). This voting is served by default with an option combobox in download.php for example. If the user has already rated a content, his user id is saved to the table e107_rate in the according rate data set. If an user is opening a download over download.php, the php script checks in the background if the user has already voted yet. If not, so the user id is not remarked in the rate data set, the option combobox is shown - If he has already voted, a place holder text string is used. This pre-detection tries to defend against multiple votes. If an user selected a value in the option combobox, the browser connects to rate.php and sends the rating data to this script as an HTTP GET query string. The first problem relies in the possibility of reply attacks. An attacker is able to call this rate.php url again and again (e.g. using the direct link and not relying the real user web frontend in download.php). Thus, a manipulation of the votes may be possible. Because in the default installation of the software the web frontend does not show who has already voted, a deeper investigation on the database would be nescessary. Furthermore the same php script is vulnerable to a simple redirection/forwarding attack. If an user is rating a content, he is opening the php script rate.php with some data in the HTTP GET query string variable. One of the data provided is the destination directory after successfull rating. An attacker may be able to create a malicous url and forward a victim to a potential dangerous content. It is very important to remark that in the default installation always the variable e_BASE is set before the forwarding url. In this string the base address of the web site is saved (e.g. http://www.scip.ch). So an attacker is just able to define the directory names, file names and HTTP GET query string variables. A possible scenario for misuse may a social engineering attack or cross site scripting attempt. These always rely on the flaw in other parts of the web site. III. EXPLOITATION The following example url let us to vote for the content "download" with the id "42" every time we are accessing this url. The last integer defines the rate value (between 1 and 10). http://www.scip.ch/rate.php?download^42^/download.php?view.42^5 The following example url let us to vote for a content and afterwards we are forwarded to the script /etc/passwd. All the other data is still used for the rating procedure (e.g. saving the new value in the rate table). http://www.scip.ch/rate.php?download^23^/etc/passwd^1 IV. IMPACT Manipulation of ratings is not a real security problem for environments using e107. But is is a real threat for the reliability and integrity of all the ratings within e107. An attacker may be able to compromise a rating contest by voting multiple times for not liked or very liked content. The possibility of the forwarding attack may gain elevated privileges for an attacker, as long as he is possible to exploit another vulnerability on the target web server. Due the fact just the destination directory can be defined, no cross plattform attacks are possible. V. DETECTION Slight changes on the code of the affected php code may be able to detect and prevent the successfully attack. See VI for more technical details. VI. WORKAROUND The e107 team has provided a bugfix for the new release 0.7 in the CVS. To prevent multiple votes in earlier versions the following lines should be added to rate.php. These check once again, if the user has already voted or not. If this is a multiple rating attempt, a forwarding to the web site without adding the new data to the rate table is used instead. require_once(e_HANDLER."rate_class.php"); $rater = new rater; if(!$rater -> checkrated($qs[0], $qs[1]) == FALSE){ header("location:".e_BASE.$qs[2]); exit; } The workaround for a false redirection can be handled by comparing the data for the data base and the forwarding data (e.g. if the table download is used then the forwarding should go to download.php anyway). If they are not the same, the forwarding should not be used. Due the fact in e107 prior 0.7 ratings for downloads are possible only, adding the following line in rate.php will override any other forwarding url. $qs[2] = e_BASE."download.php?view.".$qs[1]; Please be aware, these code lines are just suggestions and not official patches. VII. VENDOR RESPONSE The e107 team was aware of the flaws for a long time. Due the fact the risk of the successfull exploitation was very low, no further countermeasures were implemented. But at this time at least the flaw of the multiple ratings has been eliminated. See VI for more details. VIII. SOURCES scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl computec.ch document data base (german) http://www.computec.ch/download.php?list.26 http://www.computec.ch/download.php?list.25 IX. DISCLOSURE TIMELINE 02/08/2005 First detection of the flaw by Marc Ruef 08/23/2005 Semi-public announcement of the flaw in the computec.ch forum by Disenchant 11/07/2005 Technical analysis of the problem and developement of bugfixes by Marc Ruef 26/09/2005 V3 posted the "old" problem of multiple rates in the bugtrack of e107v7[1] 12/05/2005 Public advisory by Marc Ruef with scip AG X. CREDITS The flaw of the rate reply attack was discovered and analyzed by Marc Ruef and Sven Vetsch. The vulnerability of the redirection and forwarding during rating was analyzed by Marc Ruef. Marc Ruef, scip AG maru-at-scip.ch http://www.scip.ch Sven Vetsch admin-at-disenchant.ch http://www.disenchant.ch A1. BIBLIOGRAPHY [1] http://e107.org/e107_plugins/bugtrack/bugtrack.php?1625.show A2. LEGAL NOTICES Copyright (c) 2005 by scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: http://www.scip.ch iQA/AwUBQ5QDURe5hzJzqVMhEQK2GACfcoePtivcmANoIRXurbGTIH9vXt0An02e M1l0gozHFvbAWw3WoNYU+n63 =VhT/ -----END PGP SIGNATURE-----