Possible backdoor in the e107 CMS
Users of the e107 content management system (CMS) should keep a close eye on their installation over the coming days, with a two-pronged intrusion threat looming. The development team behind the content management system released version 0.7.17 at the weekend to fix a critical vulnerability, but it is now being reported that the new version contains a backdoor.
According to an analysis of the PHP source code by security specialist Bogdan Calin of Acunetix, the file class2.php contains the line if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") , which defines a static cookie. Further code checks whether the cookie has been transferred and then executes commands passed using POST requests in the shell. It is not clear how the backdoor has found its way into the code and the find has not yet been confirmed by other sources. The code is not present in the CVS.
It is possible that the e107 development team's server had previously been compromised via the earlier vulnerability and that unknown intruders have just been waiting for the new version to be made available to download from the server. It is also, however, possible that a single download mirror has been compromised. An enquiry submitted to the development team by The H's associates at heise Security has not yet received a response.
The developers had in the meantime removed the ZIP file download for version 0.7.17 from their server. The link to the download is now once again working, but now leads to Sourceforge. The ZIP archive available for download at the new location includes the class2.php file minus the offending code. Version 0.7.16 users should switch to the new version. Users who have already installed version 0.7.17 should check the class2.php file and remove the offending lines if present.
It also appears that, for some time today, the e107.org web server was compromised. The home page contained JavaScript that seems to have tried to attack visitors to the site who were running Internet Explorer. Details of what exactly the code did, however, will require further analysis. While the site appears to be fine now, users are advised to proceed with caution.
See also:
- **SECURITY UPDATE** 0.7.17, security advisory from e107.org.
(crve)