| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Jul 2008 03:20:56 -0700 From: "Tim Loshak" <tim.loshak@...il.com> To: bugtraq@...urityfocus.com Subject: Vulnerability: SocialEngine (SocialEngine.net) high risk security flaw SECURITY ADVISORY CS-2008-2 Vulnerability: Improper validation of external parameters Vendor: SocialEngine (http://www.socialengine.net) Affected versions: <2.83 Risk: High I. DESCRIPTION Improper validation of browser cookies leads to complete control over client host. II. BACKGROUND During client authentication, cookies are used as an input parameters for authorization and validation of identity both as user and as an administrator. It is possible to construct specially crafted cookie parameters which will cause sql injection and give full administrative access rights. Additionally, having full write access templates for smarty based engine, together with all-allow security level for the templates processing, allows injection of php code into templates, gaining complete and undetected control of the server, such as direct access to file system, direct access to any databases. III. ANALYSIS 1. user level entry path via include/class_user.php user_checkCookies -> se_user 2. admin level entry path via include/class_admin.php admin_checkCookies -> se_admin IV. POC EXPLOIT not disclosed, submitted to vendor V. DISCLOSURE TIMELINE 10-Jul-2008 Initial vendor notification 11-Jul-2008 Vendor releases patch 22-Jul-2008 Public Disclosure VI. CREDITS Creogenic Security Tim Loshak tim.loshak@...il.com
Powered by blists - more mailing lists