'[Full-disclosure] e107 0.6 forum_post.php create new topics in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] e107 0.6 forum_post.php create new topics in
From:       Marc Ruef <marc.ruef () computec ! ch>
Date:       2005-08-30 7:55:16
Message-ID: 431410E4.9040906 () computec ! ch
[Download RAW message or body]

Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an 
issue in forum_post.php. If you want to create a new topic you will get 
to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this 
number to whatever he wants to post in non-existing forums. Creating 
posts in forums he has no permissions is not possible because a check is 
done in line 41. But there is no check if a forum ist exiting or not. 
The attacker may be able to mess up the forum/website with spam messages 
- Damage correction may be require manual delete and move of affected 
posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of 
0.7 may also be affected. I made the following simple enhancement of the 
if-else statement, to allow postings only in existing forums (and if the 
permissions are given). I also sent a bug report earlier this morning to 
the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
         $row = $sql -> db_Fetch(); extract($row);
         if(!check_class($forum_class)){
                 $ns -> tablerender(LAN_20, "<div 
style='text-align:center'>".LAN_399."</div>");
                 require_once(FOOTERF);
                 exit;
         }
}else{
                 require_once(HEADERF);
                 $ns -> tablerender(LAN_20, "<div 
style='text-align:center'>".LAN_399."</div>");
                 require_once(FOOTERF);
                 exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack 
Tool Kit" (ATK) will provide plugins to determine the existence of this 
flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

-- 
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/
Mein Arbeitgeber                                    http://www.scip.ch/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic