lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALH-=7w9ZSk9BiORft8xP+v4gS-qndkQD7Nvw0UK__6-gKrUEw@mail.gmail.com>
Date: Sun, 28 Dec 2014 00:24:13 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CSRF vulnerability in CMS e107 v.2 alpha2

Advisory: CSRF vulnerability in CMS e107 v.2 alpha2
Advisory ID: SROEADV-2014-04
Author: Steffen Rösemann
Affected Software: CMS e107 v.2 alpha2 (Release-Date: 08th-Jun-2014)
Vendor URL: http://e107.org
Vendor Status: solved
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System e107 v.2 alpha2 allows an attacker to become
an administrative user (without rights) when tricking the admin into
executing a CSRF-vulnerable URL including the attackers user-id.

==================
Technical Details:
==================

The administrative backend of e107 v.2 alpha2 provides the functionality to
put a user instant in the administrators group by using the following url
when the administrator is already logged in:

http://{DOMAIN/HOSTNAME}/e107_admin/users.php?mode=main&action=admin&id={ID}

An attacker could try to abuse this in convincing the admin to execute a
link which contains the id of the attackers user-account or trick him to go
on a page the attacker controls where this URL is opened (e.g. in a hidden
iframe) while the admin is logged in.

The attacker knows his own id because it is shown on his user profile:

http://{DOMAIN/HOSTNAME}/user.php?id.{ID}

Although the attacker would not instant gain any rights it is a security
issue.

Combined with clickjacking and/or other social engineering attacks this
issue could be expanded to gain such elevated rights.

=========
Solution:
=========

Install the latest patch from the github repository (see below).


====================
Disclosure Timeline:
====================
22-Dec-2014 – found the vulnerability
22-Dec-2014 - informed the developers
26-Dec-2014 – release date of this security advisory [without technical
details]
27-Dec-2014 – vendor responded and provided a patch
28-Dec-2014 – release date of this security advisory
28-Dec-2014 – post on Bugtraq / FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

http://e107.org
https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080
http://sroesemann.blogspot.de

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists