E107 E107 security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions.
The e107 CMS consists of 317,356 lines of code and was analyzed in about 2 minutes. Many of the vulnerabilities found by RIPS are exploitable, despite a few exceptions. The main reason for this is that e107 contains a lot of from previous releases and thus not all affected functions are reachable.
Most of the SQL injection vulnerabilities are caused by missing quotes. The input gets escaped properly, but since it is not surrounded by quotes this and the SQL query can be modified.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available. Case Study PHP Object Injection to Privilege Escalation e107 suffers from a PHP object injection vulnerability, i.e. User input is passed to the function unserialize. The MD5 sum of the user input is checked in line 354, but there is no secret involved and thus an attacker can simply calculate the value himself.
The correct approach would have been to use a keyed-hash message authentication code (HMAC) to prevent modifications by malicious users that do not possess the secret key. 1160 1161 1162 1163 1164 function update ( $tableName, $arg, $debug = FALSE, $logtype = ', $logremark = ' ) $table = $this - dbIsLang ( $tableName ); $arg = $this - prepareUpdateArg ( $tableName, $arg ); $query = 'UPDATE '. $this - mySQLPrefix. $arg; $result = $this - mySQLresult = $this - dbQuery ( $query, NULL, 'dbUpdate' ); Namely, the data is used in a SQL UPDATE query. This query is build by using the prepareUpdateArg method.
'; All values are escaped by getFieldValue in line 1088 of the method prepareUpdateArg. However, with the help of the object injection, an attacker is able to specify arbitrary array keys and those are not sanitized in any way. This allows the attacker to modify the UPDATE query that is performed on the user table and to set arbitrary values. It is possible to change permissions of accounts, set new passwords, read information from other tables, and to inject JavaScript in the database for persistent cross-site scripting attacks.
In short, the attacker has full control over the application. Time Line Date What 2016/11/18 First contact with vendor 2016/11/21 Send details to vendor 2016//11/29 Vendor starts patching the less-severe vulnerabilities 2016/11/29 Coordination with vendor about release of blog post 2016/12/13 Rechecked status with vendor about release date 2016/12/23 Vendor releases Summary The lesson learned by this vulnerability is that one should never trust array keys in PHP. Despite, these should be treated with care as any other variable. The security issue could be detected successfully by RIPS due to its precise array handling and its comprehensive analysis of PHP object injection vulnerabilities. We would like to thank the e107 team for the very professional collaboration. They responded fast and worked hard until the very last minute in order to provide a fixed version. We urge all users to update to the latest version.
Follow us on to be notified when the next gift of our advent calendar is opened!
We're happy to announce the release of e107 v2.1.8! This release contains some great improvements as well as bug fixes. We recommend everyone upgrade immediately. New features. New functionalities for 'User ranks'. New addon egsitemap for Sitemap generation.