CMS e107 1.0.4 Reflecting XSS vulnerability

2015.01.09

Credit: Steffen R

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Advisory: Reflecting XSS vulnerability in CMS e107 v. 1.0.4
Advisory ID: SROEADV-2014-05
Author: Steffen Rsemann
Affected Software: CMS e107 v. 1.0.4
Vendor URL: http://e107.org
Vendor Status: did not respond to issue
CVE-ID: -
==========================
Vulnerability Description:
==========================
The CMS e107 v. 1.0.4 has a reflecting XSS vulnerability in its
administrative backend which can be exploited by bypassing an XSS filter.
==================
Technical Details:
==================
The filemanager functionality of CMS e107 v. 1.0.4 has a reflecting XSS
vulnerability. The filemanager is located here on a normal e107
installation:
http://{TARGET}/e107_admin/filemanager.php
The e107 files are located in the following folder, which is created when
installing the CMS:
http://{TARGET}/e107_admin/filemanager.php?e107_files/
By appending specially crafted HTML and/or JavaScript-code, an attacker
could exploit this vulnerability.
Exploit-Example:
http://{TARGET}/e107_admin/filemanager.php?e107_files/%3C%73%63%72%69%70%74%3Ealert(String.fromCharCode(34,88, 83, 83,34))%3C%2F%73%63%72%69%70%74%3E%3C!--%3C%2F%73%63%72%69%70%74%3E%3C!--
=========
Solution:
=========
Vendor didn't responded to this issue, as it is announced that issues on
e107 v. 1.0.4 are handled on lower priority.
====================
Disclosure Timeline:
====================
26/27-Dec-2014 &#8211; found the vulnerability
27-Dec-2014 - informed the developers
27-Dec-2014 &#8211; release date of this security advisory [without technical details]
03-Dec-2014 - opened up an issue on Github as vendor not responded (see https://github.com/e107inc/e107v1/issues/2)
09-Jan-2015 - release date of this security advisory
09-Jan-2015 - send to lists
========
Credits:
========
Vulnerability found and advisory written by Steffen Rsemann.
===========
References:
===========
[1] http://e107.org
[2] http://sroesemann.blogspot.de/2014/12/sroeadv-2014-05.html
[3] https://github.com/e107inc/e107v1/issues/2
[4] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html

References:

http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2014-05.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CMS e107 1.0.4 Reflecting XSS vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.