e107 CMS Cross-Site Request Forgery Vulnerability in Comment Moderation

A cross-site request forgery (CSRF) vulnerability has been identified in e107 CMS versions prior to 2.3.5. The issue arises because the CMS does not consistently enforce CSRF token validation for comment moderation actions. The vulnerability allows an attacker to create a webpage that can silently delete or approve comments on behalf of a logged-in admin or moderator, without their knowledge. This exploitation takes advantage of the 'session_handler::check()' function, which only validates tokens if they are present, effectively skipping the check for requests without a token.

Impact

Exploitation of this vulnerability allows for unauthorized comment moderation actions. Comments can be silently deleted or approved, with no indication to the user that these actions have occurred. This could be particularly damaging if combined with phishing or social engineering tactics targeting moderators, potentially disrupting comment sections on a large scale.

Reproduction

To reproduce this vulnerability, first confirm that a comment is in the 'not approved' state. Then, create a cross-origin webpage that sends a POST request to the 'comment.php' moderation endpoint, omitting the CSRF token. When this request is sent while an admin is logged in, the comment will be approved or deleted without the admin's knowledge.

Remediation

Users can upgrade to e107 version 2.3.5, where this vulnerability is fixed. After the update, ensure that AJAX calls to comment moderation endpoints include a valid CSRF token. Until the update is applied, access to 'comment.php' moderation endpoints can be restricted at the web server or firewall level, or AJAX comment moderation can be temporarily disabled from the admin panel.