lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 30 Aug 2005 09:55:16 +0200
From: Marc Ruef <marc.ruef@...putec.ch>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk, bugs@...uritytracker.com,
	partners@...unia.com, news@...uriteam.com,
	submissions@...ketstormsecurity.org
Subject: e107 0.6 forum_post.php create new topics in
	non-existing forums


Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an 
issue in forum_post.php. If you want to create a new topic you will get 
to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this 
number to whatever he wants to post in non-existing forums. Creating 
posts in forums he has no permissions is not possible because a check is 
done in line 41. But there is no check if a forum ist exiting or not. 
The attacker may be able to mess up the forum/website with spam messages 
- Damage correction may be require manual delete and move of affected 
posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of 
0.7 may also be affected. I made the following simple enhancement of the 
if-else statement, to allow postings only in existing forums (and if the 
permissions are given). I also sent a bug report earlier this morning to 
the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
         $row = $sql -> db_Fetch(); extract($row);
         if(!check_class($forum_class)){
                 $ns -> tablerender(LAN_20, "<div 
style='text-align:center'>".LAN_399."</div>");
                 require_once(FOOTERF);
                 exit;
         }
}else{
                 require_once(HEADERF);
                 $ns -> tablerender(LAN_20, "<div 
style='text-align:center'>".LAN_399."</div>");
                 require_once(FOOTERF);
                 exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack 
Tool Kit" (ATK) will provide plugins to determine the existence of this 
flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

-- 
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/
Mein Arbeitgeber                                    http://www.scip.ch/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists