The usersettings. php page of The e107 content management system has the SQL injection vulnerability.

E107 is a content management system written in php.

The usersettings. php page of e107 has the SQL injection vulnerability:

If ($ ret =)
{
$ Loginname = strip_tags ($ _ POST [loginname]);
If (! $ Loginname)
{
$ Loginname = $ udata [user_loginname];
}
Else
{
If (! Check_class ($ pref [displayname_class], $ udata [user_classlist], $ peer ))
{
$ New_username = "user_name = {$ loginname },";
$ Username = $ loginname;
}
}

...
$ _ POST [signature] = $ tp-> toDB ($ _ POST [signature]);
$ _ POST [realname] = $ tp-> toDB ($ _ POST [realname]);
...

// We can update the basic user record now
$ SQL-> db_Update ("user", "{$ new_username} {$ pwreset} {$ sesschange} user_email = ". $ tp-> toDB ($ _ POST [email]). ", user_signature = ". $ _ POST [signature]. ", user_image = ". $ tp-> toDB ($ _ POST [image]). ", user_timezone = ". $ tp-> toDB ($ _ POST [timezone]). ", user_hideemail = ". intval ($ tp-> toDB ($ _ POST [hideemail]). ", user_login = ". $ _ POST [realname]. "{$ new_customtitle}, user_xup = ". $ tp-> toDB ($ _ POST [user_xup]). "WHERE user_id = ". intval ($ indium ). "");

If the above Code is not correctly executed, the database escape will inject the POST variable loginname into the SQL query. However, the filters in the previous few rows can prevent some characters:

// Login Name checks
If (isset ($ _ POST [loginname])
{// Only check if its been edited
$ Temp_name = trim (preg_replace (/& nbsp; | # | = | $/, "", strip_tags ($ _ POST [loginname]);
If ($ temp_name! = $ _ POST [loginname])
{
$ Error. = LAN_USET_13. "\ n ";
}
// Check if login name exceeds maximum allowed length
If (strlen ($ temp_name)> varset ($ pref [loginname_maxlength], 30 ))
{
$ Error. = LAN_USET_14. "\ n ";
}
$ _ POST [loginname] = $ temp_name;
}

This filter disables characters such as "#" and "=" and checks that the length of loginname cannot exceed the maximum allowed value, but it is not enough to prevent attacks, because only the "/*" character is required to terminate the string context and enable the annotation that can be disabled in the signature.
 
Test method:
1. Access e107 with Vulnerabilities
2. Create a new user named xpltest
3. Log On As xpltest
4. Go to user settings
5. Find the user ID from the hidden _ uid field in the HTML source code of the page, which is assumed to be 444.
6. Input xpltest/* to the realname field.
7. Enter */, user_admin = 1 where user_id = 444 -- x into the signature field (replace 444 with your user ID)
8. Start tamperdata to activate tampering
9. Submit user settings and change the realname variable to loginname
10. Now the xpltest user is the administrator.
 
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://e107.org

 

Category: vulnerability exploitation | add to souzang | share to I post bar | browse (32) | comment (0) Previous Article: log on to any user in the BBSMAX Forum program, obtain... recent readers: After logging on, you will be here.