A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878
February 2, 2011 - Update:
Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.
This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF
January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:
Sourceforge Attack: Full Report January 28, 2011 - Update:
On Hacker news is reported an update about and seem that the sourceforge server has been compromized:
Sourceforge servers compromised
The SourceForge response:
January 22, 2011:
just now I found a post from Imperva http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html. Intrigued by their results, similar to that published in my previous post approximately one month ago (http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html), I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:
With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html). The following screen shot is the well common form that expose sourceforge to this vulnerability:
The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.