e107 XSS and XSRF Vulnerabilities
Description of Vulnerability:
e107 (http://e107.org) is a PHP/MySQL based content management system. e107 allows anonymous users to submit news items for display on the front page. These items enter a queue for review by admins and are subsequently approved or rejected.
e107 suffers from a cross site request forgery (XSRF) vulnerability because it fails to use a difficult to discover random token in the user add form located at e107_admin/users.php?create. The token is carried in a hidden form field 'ac' and is derived from the MD5 hash of the administrative user accounts create date. When the administrative account is created the unix timestamp is stored in the MySQL database in the e107_user.user_pwchange column. Because logged in users can view the 'Joined' state of the admin user at /user.php?id.1 it is easy to derive the unix timestamp for the creation date of the account.
e107 0.7.22 was tested and shown to be vulnerable
Unauthenticated users can exploit these vulnerabilities to attack other users, potentially compromising the e107 service or host.
Upgrade to the latest version of e107 to mitigate these vulnerabilities.