Multiple SQL injection vulnerabilities in e107

2010-09-03T00:00:00
ID HTB22602
Type htbridge
Reporter High-Tech Bridge
Modified 2010-09-03T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered three SQL injection vulnerabilities in e107 which could lead to execution of arbitrary SQL commands in application`s database.

1) SQL injection vulnerabilities in e107

1.1 An input validation error exists in the URL in /e107_admin/wmessage.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data but requires "Welcome message" permissions.
Exploitation example:
http://host/e107_admin/wmessage.php?create.edit.999999%0Aunion%0Aselect%0A1, 2,user%28%29

1.2 The vulnerability exists due input validation error in the URL in /e107_plugins/forum/forum_admin.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data but requires privileges to manage forums.

Exploitation example:
http://host/e107_plugins/forum/forum_admin.php?create.edit.9999999%0Aunion%0 Aselect%0A1,2,user(),4,5,6,7,8,9,10,11,12,13,14

1.3 An input validation error exists in the URL in /e107_admin/download.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in database but requires "Post download" permissions.
Exploitation example:
http://host/e107_admin/download.php?cat.edit.999999%0Aunion%0Aselect%0A1,2,3 ,4,5,6,7