e107 2.0 alpha2 Cross Site Scripting Vulnerability

Vendor: e107
Vulnerable Version(s): 2.0 alpha2 and probably prior
Tested Version: 2.0 alpha2
Advisory Publication: June 18, 2014 [without technical details]
Vendor Notification: June 18, 2014
Vendor Patch: June 27, 2014
Public Disclosure: July 16, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-4734
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in e107, which can be exploited to perform Cross-Site
Scripting (XSS) attacks.

1) Reflected Cross-Site Scripting (XSS) in e107: CVE-2014-4734

The vulnerability exists due to insufficient sanitization of "type" HTTP GET parameter passed to
"/e107_admin/db.php" script. A remote attacker can trick a logged-in administrator to follow a specially
crafted link and execute arbitrary HTML and scripting code in administrator’s browser.

Using advanced XSS techniques a remote attacker can gain complete access over administrator’s session and perform
arbitrary actions as web application administrator.

The following exploitation example displays JS pop-up with "immuniweb" word when the administrator hits the
"submit" button:

http://[host]/e107_admin/db.php?mode=pref_editor&type=123%27%20onsubmit=%22alert%28%27immuniweb%27%29%3b%22%20a=%27

-----------------------------------------------------------------------------------------------

Solution:

Update e107_admin/db.php file from GitHub.

More Information:
https://github.com/e107inc/e107/commit/f80e417bb3e7ab5c1a89ea9ddd2cd060f54464e1
https://github.com/e107inc/e107/commit/e3088a877f94ac465555173e28b2f7f4a4f6d5e8

#  0day.today [2018-01-08]  #