e107 v.2 alpha2 CSRF vulnerability

2014-12-29 / 2015-04-19
Credit: Steffen
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-9459
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Advisory: CSRF vulnerability in CMS e107 v.2 alpha2 Advisory ID: SROEADV-2014-04 Author: Steffen Rsemann Affected Software: CMS e107 v.2 alpha2 (Release-Date: 08th-Jun-2014) Vendor URL: http://e107.org Vendor Status: solved CVE-ID: - ========================== Vulnerability Description: ========================== The Content Management System e107 v.2 alpha2 allows an attacker to become an administrative user (without rights) when tricking the admin into executing a CSRF-vulnerable URL including the attackers user-id. ================== Technical Details: ================== The administrative backend of e107 v.2 alpha2 provides the functionality to put a user instant in the administrators group by using the following url when the administrator is already logged in: http://{DOMAIN/HOSTNAME}/e107_admin/users.php?mode=main&action=admin&id={ID} An attacker could try to abuse this in convincing the admin to execute a link which contains the id of the attackers user-account or trick him to go on a page the attacker controls where this URL is opened (e.g. in a hidden iframe) while the admin is logged in. The attacker knows his own id because it is shown on his user profile: http://{DOMAIN/HOSTNAME}/user.php?id.{ID} Although the attacker would not instant gain any rights it is a security issue. Combined with clickjacking and/or other social engineering attacks this issue could be expanded to gain such elevated rights. ========= Solution: ========= Install the latest patch from the github repository (see below). ==================== Disclosure Timeline: ==================== 22-Dec-2014 – found the vulnerability 22-Dec-2014 - informed the developers 26-Dec-2014 – release date of this security advisory [without technical details] 27-Dec-2014 – vendor responded and provided a patch 28-Dec-2014 – release date of this security advisory 28-Dec-2014 – post on Bugtraq / FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rsemann. =========== References: =========== http://e107.org https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080 http://sroesemann.blogspot.de

References:

http://e107.org
https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080
http://sroesemann.blogspot.de


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top