[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Elgg 1.7.10 <= | Multiple Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, secalert@xxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, vuln@xxxxxxxxxxxxxxxx, moderators@xxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Elgg 1.7.10 <= | Multiple Vulnerabilities
- From: YGN Ethical Hacker Group <lists@xxxxxxxx>
- Date: Thu, 18 Aug 2011 14:17:54 +0800
1. OVERVIEW
The Elgg 1.7.10 and lower versions are vulnerable to Cross Site
Scripting and SQL Injection.
2. BACKGROUND
Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Well-known Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)
3. VULNERABILITY DESCRIPTION
The "internalname" parameter is not properly sanitized, which allows
attacker to conduct Cross Site Scripting attack. This may allow an
attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The "tag_names" is not
properly sanitized, which allows attacker to conduct SQL Injection
attack.
4. VERSIONS AFFECTED
Elgg 1.7.10 <=
5. PROOF-OF-CONCEPT/EXPLOIT
- Cross Site Scripting
http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22
- SQL Injection > Info Disclosure
http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27
6. SOLUTION
Upgrade to 1.7.11 or higher.
7. VENDOR
Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-08-01: vulnerability reported
2011-08-15: vendor released fixed version
2011-08-18: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
Project Home: http://elgg.org/
Vendor Release Note:
http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released
#yehg [2011-08-18]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/