Bugtraq mailing list archives
e107 v0.617 several new and old vulnerabilities
From: Marc Ruef <marc.ruef () computec ch>
Date: Sun, 12 Jun 2005 15:46:24 +0200
Hello, The e107 is an open-source, PHP and SQL based portal and content management system[1]. I found some new vulnerabilities in the current release v0.617. Also some "older" flaws[2] has been re-discovered indifferent ways. This email has been sent some months ago to the e107 developers. They fixed some things in their last security bugfix. I am not shure which things are still remaining.
####################################################################### * admin.php shows used content management system The default directory for all the administrative work is called e107_admin. A connection to the file admin.php without passing any $QUERY_STRING data shows the plain admin login screen. First of all the banner of e107 is shown by default. An attacker may use this information to start specific attacks. This problem is also given in the default message of sitedown.php shown during maintenance and the print view of print.php. * admin.php shows different error messages during authentication As administrator you have to authenticate by username and password. The first credential is sent as $QUERY_STRING to the same script. If a non-existing username or a username without administrative privileges is specified, the message ADLAN_87 "Administrator name not found in database " (the last space is really used in the english language package) is shown. On the other hand if an administrators username has been specified, the message ADLAN_86 "Incorrect password " is loaded. An attacker is able to find administrative accounts by manual of automated brute force attacks. * README.html gives sensitive information about the installation By default a documentation directory named e107_docs is installed. An attacker is able to determine the installed software by opening the file README.html which shows the handbook of e107. This information is useful to get in touch with the handling of the content management system. * Direct opening of plugins php files shows web server path e107 is a modular and plugin based content management system. All plugins are usually saved as a sub-directory of the default path e107_plugins. An attacker may be able to make a direct http request to some of the plugin files (e.g. admin_menu/admin_menu.php). This will provocate a debug error message that shows the absolute path of the php file on the web server: --- cut --- Warning: main(e_HANDLERuserclass_class.php): failed to open stream: No such file or directory in /home/httpd/www.computec.ch/httpdocs/e107_plugins/admin_menu/admin_menu.php on line 3 Fatal error: main(): Failed opening required 'e_HANDLERuserclass_class.php' (include_path='.:/usr/share/pear') in /home/httpd/www.computec.ch/httpdocs/e107_plugins/admin_menu/admin_menu.php on line 3 --- cut --- I was able to determine the existence of this flaw in most of the pre-installed plugins. On the other hand just some of the 3rd party plugins were not affected. All (of the default) themes in the default themes directory e107_themes seems to be affected too. An attacker may use the path message to make a mapping of the directory of the web server. This information may be useful to start specific attacks on files and paths. * Plugin QOTD direct access to the quote file The additional plugin QOTD by cameron and jailist does provide a small and handy quote of the day feature. One line in the default file quote.txt is shown everytime the plugin is loaded. It is possible to download this quote file directly. An attacker may use this possibility to create the exact copy of your hardly assembled quotes. * error.php html injection The file error.php is used for loading error web site messages (e.g. 404). The problem is send as the http response codes in $QUERY_STRING. If none of the well-known error codes as like 401, 403, 404 and 500 is used, a message of an "unknown error" is given. The data used in the $QUERY_STRING is put directly in the dynamic web site. An attacker is able to inject simple html code (e.g. bold or italic tags) on the error site. Complex html tags (e.g. links or images) seems not to be possible. Also the use of cross site scripting attacks in the tested ways is not possible. * usersettings.php html injection Every registred and logged in user is able to see and change the user settings with usersettings.php. In this php file some html injection is possible. This starts with simple changements of texts by using <b> or <i>. But there are also some complex html tags as like anchor links or references of external image files possible. * usersettings.php cross site scripting Classic cross site scripting with <script> is not possible because the string "<scri" is always cut off. But it is possible to use <IFRAME SRC=javascript:alert('XSS')></IFRAME> to cause an xss attack for example[3, 4]. 6. forum_post.php cross site scripting e107 does also provide a nicely integrated forum and comment system. The document forum_post.php is used to open new threads or to reply another posting. Furthermore comment.php is able to show and create comments to specific parts of the web site (e.g. news, articles or downloads). Also both php files are vulnerable to some specialized cross site scripting attacks. The same <IFRAME SRC=javascript:alert('XSS')></IFRAME> as like in usersettings.php can be used to create a proof-of-concept. Subject and message text are vulnerable to this. ####################################################################### My open-source vulnerability scanner and attack framework "Attack Tool Kit" (ATK) will provide plugins to determine the existence of this flaws and to exploit them too[5]. Regards, Marc [1] http://www.e107.org [2] http://www.securityfocus.com/bid/10436 [3] http://www.shocking.com/~rsnake/xss.html [4] http://www.computec.ch (german source) [5] http://www.computec.ch/projekte/atk/ -- Computer, Technik und Security http://www.computec.ch/ Meine private Webseite http://www.computec.ch/mruef/ Mein Arbeitgeber http://www.scip.ch/
Current thread:
- e107 v0.617 several new and old vulnerabilities Marc Ruef (Jun 16)