e107 is content management system written in php.
e107 in the bbcode [php] allows execution of arbitrary PHP code. More dangerous because in this way, e107 configuration generally prohibit all users access the bbcode, the administrator can activate a specific group of users demand this feature.
e107 in the access control check is not within the bbcode parser, but some of the external function call bbcode parser is implemented, for example:
function post_toHTML ($ text, $ modifier = true, $ extra ='') (
...
/ / If user is not allowed to use [php] change to entities
if (! check_class ($ pref ['php_bbcode']))
(
$ Text = preg_replace ("# \ [(php) # i", "[\ \ 1", $ text);
)
return ($ modifier? $ this-> toHTML ($ text, true, $ extra): $ text);
)
This code shows toHTML () method is not on the [php] implementation of the access check, since it has been implemented in the external examination. This means that user input should not go directly to toHTML () method, or may lead to remote PHP code execution.
But in other parts of the user input can reach toHTML (), as in toEmail () way:
function toEmail ($ text, $ posted ="",$ mods = "parse_sc, no_make_clickable")
(
if ($ posted === TRUE & & MAGIC_QUOTES_GPC)
(
$ Text = stripslashes ($ text);
)
$ Text = (strtolower ($ mods)! = "Rawtext")? $ This-> replaceConstants ($ text, "full"): $ text;
$ Text = $ this-> toHTML ($ text, TRUE, $ mods);
return $ text;
)
If toEmail () method used in the user input, it could lead to remote PHP code execution. An example of this situation is contact.php file:
if (isset ($ _POST ['send-contactus'])){
$ Error = "";
$ Sender_name = $ tp-> toEmail ($ _POST ['author_name'], TRUE, "rawtext");
$ Sender = check_email ($ _POST ['email_send']);
$ Subject = $ tp-> toEmail ($ _POST ['subject'], TRUE, "rawtext");
$ Body = $ tp-> toEmail ($ _POST ['body'], TRUE, "rawtext");
Contact.php document is submitted to the POST request will cause the server to execute arbitrary PHP code.
Other pages: : 1 * 2 * Next>>
|