cnvd - cnvd-2015-00144

CNVD-2015-00144

Vulnerability from cnvd - Published: 2015-01-09

Title

e107 ' e107_admin/users.php'跨站请求伪造漏洞

Description

E107是美国E107公司的一套开源、免费且基于PHP和MySQL的内容管理系统（CMS）。该系统支持多种外挂程序和外观主题，可作为个人博客、讨论社区、档案资料库等。 e107 admin/users.php脚本中的‘AdminObserver’函数存在跨站请求伪造漏洞。远程攻击者可通过‘id’参数利用该漏洞添加用户到管理员组。

Severity

中

Patch Name

e107 ' e107_admin/users.php'跨站请求伪造漏洞的补丁

Patch Description

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞：http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html

Reference

http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9459

Impacted products

Name
e107 e107 <= 2.0 alpha2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9459"
    }
  },
  "description": "E107\u662f\u7f8e\u56fdE107\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u3001\u514d\u8d39\u4e14\u57fa\u4e8ePHP\u548cMySQL\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u591a\u79cd\u5916\u6302\u7a0b\u5e8f\u548c\u5916\u89c2\u4e3b\u9898\uff0c\u53ef\u4f5c\u4e3a\u4e2a\u4eba\u535a\u5ba2\u3001\u8ba8\u8bba\u793e\u533a\u3001\u6863\u6848\u8d44\u6599\u5e93\u7b49\u3002\r\n\r\ne107 admin/users.php\u811a\u672c\u4e2d\u7684\u2018AdminObserver\u2019\u51fd\u6570\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u2018id\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6dfb\u52a0\u7528\u6237\u5230\u7ba1\u7406\u5458\u7ec4\u3002",
  "discovererName": "unKnow",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1ahttp://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00144",
  "openTime": "2015-01-09",
  "patchDescription": "E107\u662f\u7f8e\u56fdE107\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u3001\u514d\u8d39\u4e14\u57fa\u4e8ePHP\u548cMySQL\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u591a\u79cd\u5916\u6302\u7a0b\u5e8f\u548c\u5916\u89c2\u4e3b\u9898\uff0c\u53ef\u4f5c\u4e3a\u4e2a\u4eba\u535a\u5ba2\u3001\u8ba8\u8bba\u793e\u533a\u3001\u6863\u6848\u8d44\u6599\u5e93\u7b49\u3002 \r\n\r\ne107 admin/users.php\u811a\u672c\u4e2d\u7684\u2018AdminObserver\u2019\u51fd\u6570\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u2018id\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6dfb\u52a0\u7528\u6237\u5230\u7ba1\u7406\u5458\u7ec4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "e107 \u0027 e107_admin/users.php\u0027\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "e107 e107 \u003c= 2.0 alpha2"
  },
  "referenceLink": "http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9459",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-08",
  "title": "e107 \u0027 e107_admin/users.php\u0027\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2014-9459 (GCVE-0-2014-9459)

Vulnerability from cvelistv5 – Published: 2015-01-02 20:00 – Updated: 2024-08-06 13:47

Summary

Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://sroesemann.blogspot.de/2014/12/sroeadv-201…	x_refsource_MISC
	http://packetstormsecurity.com/files/129751/e107-…	x_refsource_MISC
	https://github.com/e107inc/e107/commit/9249f892b1…	x_refsource_CONFIRM
	http://seclists.org/fulldisclosure/2014/Dec/124	mailing-listx_refsource_FULLDISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:47:40.873Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/129751/e107-2.0-Alpha2-Cross-Site-Request-Forgery.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080"
          },
          {
            "name": "20141229 CSRF vulnerability in CMS e107 v.2 alpha2",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2014/Dec/124"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-12-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-01-10T18:57:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/129751/e107-2.0-Alpha2-Cross-Site-Request-Forgery.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080"
        },
        {
          "name": "20141229 CSRF vulnerability in CMS e107 v.2 alpha2",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2014/Dec/124"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-9459",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html",
              "refsource": "MISC",
              "url": "http://sroesemann.blogspot.de/2014/12/sroeadv-2014-04.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/129751/e107-2.0-Alpha2-Cross-Site-Request-Forgery.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/129751/e107-2.0-Alpha2-Cross-Site-Request-Forgery.html"
            },
            {
              "name": "https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080",
              "refsource": "CONFIRM",
              "url": "https://github.com/e107inc/e107/commit/9249f892b1e635979db2a830393694fb73531080"
            },
            {
              "name": "20141229 CSRF vulnerability in CMS e107 v.2 alpha2",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2014/Dec/124"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2014-9459",
    "datePublished": "2015-01-02T20:00:00",
    "dateReserved": "2015-01-02T00:00:00",
    "dateUpdated": "2024-08-06T13:47:40.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-00144

CVE-2014-9459 (GCVE-0-2014-9459)

Tags

Sightings

Nomenclature