e107 Content Management System Broken Access Control Vulnerability Allowing Unauthorized Comment Edits

A broken access control vulnerability has been identified in e107 content management system versions prior to 2.3.4. This vulnerability allows an unauthorized authenticated user to edit comments made by others. The issue arises from insufficient server-side access control validation, as the application relies solely on a predictable identifier in the request to determine which comment to edit, without verifying the requesting user's ownership of the comment. Exploitation of this vulnerability could lead to unauthorized modifications of comment content, creating opportunities for spreading misinformation or harassing users by altering their comments.

Impact

Exploitation of this vulnerability could result in unauthorized edits to comments, allowing for the spread of false information, harassment of users, and potential damage to the platform's reputation if sensitive edits are made public.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'comment.php' with the 'mode' parameter set to 'edit', 'itemid' corresponding to the comment ID of another user's comment, and the 'comment' parameter containing the new comment text. The absence of access control checks allows the comment to be updated successfully, even though it does not belong to the user making the request.

Remediation

Users can update to e107 version 2.3.4, where this vulnerability has been fixed. Alternatively, comment editing can be disabled by setting the 'allowCommentEdit' preference to off in the admin Preferences.