CVE-2010-4757

Vulnerability

A cross-site scripting (XSS) vulnerability exists in submitnews.php in e107 before version 0.7.23. The submitnews_title parameter is not properly sanitized; user input containing HTML tags or double quotes is stored without modification [3]. This allows an unauthenticated attacker to submit a news item with a crafted payload. When an administrator reviews the submission queue at e107_admin/newspost.php?sn, the malicious script executes in the admin's browser [3].

Exploitation

An attacker with network access to the e107 site can submit a news item via submitnews.php with a submitnews_title containing a malicious payload, such as `` [3]. No authentication is required. The payload is stored in the database and is triggered when an admin browses the approval queue. e107 sanitizes single quotes to prevent SQL injection but does not strip HTML tags or double quotes [3].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the administrative session. This can be used to steal session cookies, perform actions as the admin (including creating or modifying users, deleting content), or launch further attacks. The impact is limited to the scope of the admin's privileges and does not provide direct server-side code execution unless combined with other vulnerabilities [3].

Mitigation

The vulnerability is fixed in e107 version 0.7.23 [1][2]. The patch modifies e107_admin/newspost.php to properly sanitize input [1]. Users should upgrade to version 0.7.23 or later. No workaround is documented for older versions. The vendor recommends upgrading to the latest version [3].