Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] e107 0.6 forum_post.php create new topics in non-exist

from [Marc Ruef] Network Security [Permanent Link]
Subject: [Full-disclosure] e107 0.6 forum_post.php create new topics in non-existing forums
Date: Tue, 30 Aug 2005 09:55:16 +0200 
Hello,

The e107 is an open-source, PHP and SQL based portal and content
management system[1]. The user Tron[2] of my website[3] has detected an issue in forum_post.php. If you want to create a new topic you will get to forum_post.php?nt.13 where an integer the id of the forum represents.

Because there is no real input validation an attacker may change this number to whatever he wants to post in non-existing forums. Creating posts in forums he has no permissions is not possible because a check is done in line 41. But there is no check if a forum ist exiting or not. The attacker may be able to mess up the forum/website with spam messages - Damage correction may be require manual delete and move of affected posts (e.g. by phpMyAdmin).

This vulnerability has been confirmed in e107 0.6. The CVS release of 0.7 may also be affected. I made the following simple enhancement of the if-else statement, to allow postings only in existing forums (and if the permissions are given). I also sent a bug report earlier this morning to the developement team of e107[4].

--- cut ---

// check if user can post to this forum ...

if($sql -> db_Select("forum", "*", "forum_id=$forum_id")){
$row = $sql -> db_Fetch(); extract($row);
if(!check_class($forum_class)){
$ns -> tablerender(LAN_20, "<div style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}
}else{
require_once(HEADERF);
$ns -> tablerender(LAN_20, "<div style='text-align:center'>".LAN_399."</div>");
require_once(FOOTERF);
exit;
}

--- cut ---

My open-source vulnerability scanner and exploiting framework "Attack Tool Kit" (ATK) will provide plugins to determine the existence of this flaw and to exploit it too[5].

Regards,

Marc

[1] http://www.e107.org
[2] http://www.computec.ch/user.php?id.192
[3] http://www.computec.ch
[4] http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.1424
[5] http://www.computec.ch/projekte/atk/

--
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/
Mein Arbeitgeber                                    http://www.scip.ch/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] e107 0.6 forum_post.php create new topics in non-existing forums, Marc Ruef <=
Previous by Date:  Re: [Full-disclosure] The Wireless Networking Excuse, Jackson McKinley
Next by Date:  Re: Out of Office AutoReply: [Full-disclosure] Julie Terranson, poo
Previous by Thread:  [Full-disclosure] [USN-173-3] Fixed apache2 packages for USN-173-2, Martin Pitt
Next by Thread:  Re: Out of Office AutoReply: [Full-disclosure] Julie Terranson, poo
Indexes:  [Date] [Thread] [Top] [All Lists]