e107 CMS system website compromised

As part of my job here at Acunetix, from time to time I analyze source code looking for security problems. Using this information I adjust Acunetix WVS to detect these problems automatically (when it’s possible).

Monday, I downloaded e107 from e107.org and started analyzing the code. e107 is a popular content management system written in PHP.

Looking through the code, the following lines drawn my attention:

The first line

if(md5($_COOKIE[‘access-admin’]) == “cf1afec15669cb96f09befb7d70f8bcb“) {

is used for authentication. If you modify your browser cookies and set a cookie named access-admin with a value like md5(value) = ‘cf1afec15669cb96f09befb7d70f8bcb‘ you will get access to a PHP shell.

As I didn’t knew the exact value to use,  I commented out this line to see how to PHP shell looks like and what can be done with it.

It’s a known PHP shell, I’ve seen it before a few times. It’s pretty powerful, you can execute system commands, execute PHP code, edit&rename files, create files and/or directories. You can also upload new files and browse the file system using the current web server privileges.

BTW, if you search on Google using a few words from this shell (like ~:(expl0rer):~) you will find a bunch of live shells indexed by Google. Most of these sites seem to be running RSGallery (a Joomla! component). I will try to contact these people about their websites being hacked.

Back to e107: I’ve informed the guys from e107.org and a few hours later the problem was fixed.

Here is what happened:

  1. A few days ago, somebody found and exploited a e107 0day (for 0.7.16) on some websites. The e107 guys were informed about this and released 0.7.17 to fix this problem.
  2. However, at this point I suspect they were already hacked because they are running e107 on e107.org and they were an obvious target.
  3. The attackers waited until they released the security fix (0.7.17) and modified the zip file to include the backdoor.
  4. At this point, most e107 site owners were rushing to upgrade because of security update announcement and I suspect that many people have downloaded the backdored binary.

So, if you’ve downloaded e107 in this weekend you have a backdored binary and you should remove it from your website and download a new copy.

Share this post
  • You don’t have to know the value to have the cookie set. You just have to set the cookies value to ‘cf1afec15669cb96f09befb7d70f8bcb‘.

    http://seclists.org/bugtraq/2010/Jan/217

    And as seing your post on Bugtraq it seems that you posted it before the programmers behind e107 fixed it.

    I’ve informed the e107 guys about this situation.
    For now, that link is not safe.

    Isn’t that a little gray hat from yourself?

  • @dblackshell: No, you are wrong. If you read the source code you will see this:

    if(md5($_COOKIE[‘access-admin’]) == “cf1afec15669cb96f09befb7d70f8bcb“) {

    So, you must know the value for the cookie to get access to the shell.

    About disclosure: I was trying to let people know about the backdoor as soon as possible. The more time would pass, more people would download the backdoor. When I find a vulnerability in a web application, I inform the vendor and wait until they fix the problem. However, this was a special case: there was no vulnerability, the more time would pass more people would get the backdoor and if you don’t know the value for the cookie you cannot get access to the shell. Therefore, I’ve decided to publish the information as soon as possible.

    @Carsten: The details about the 0day vulnerability in e107 were not publicly released.

  • @Bogdan Calin you are right

    by the way

    Can you scan DataLife Engine 8.3 (CMS)
    This is the best CMS I had ever came across. I didn’t find any vulnerability in the latest 8.3 Version

  • sorry, i downloaded e107 (7.16 , 7.17 version) but don’t find this backdoor on the source!!!

    are you sure for this ?!
    please explain, thank you.

    • Probably they replaced all the backdoor versions by now. Even the older versions. And the copy from SourceForge was never backdored. Only the copy from e107.org.

  • thank you,

    but you know what is value of this md5 (cf1afec15669cb96f09befb7d70f8bcb)?

  • @Bogdan: yes indeed, I skimmed through the code (on seclist) and came here to comment without further reinspection.

  • Leave a Reply

    Your email address will not be published.