| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Aug 2011 14:17:54 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, bugs@...uritytracker.com, vuln@...unia.com, secalert@...urityreason.com, news@...uriteam.com, vuln@...urity.nnov.ru, moderators@...db.org, submissions@...ketstormsecurity.org Subject: Elgg 1.7.10 <= | Multiple Vulnerabilities 1. OVERVIEW The Elgg 1.7.10 and lower versions are vulnerable to Cross Site Scripting and SQL Injection. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION The "internalname" parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The "tag_names" is not properly sanitized, which allows attacker to conduct SQL Injection attack. 4. VERSIONS AFFECTED Elgg 1.7.10 <= 5. PROOF-OF-CONCEPT/EXPLOIT - Cross Site Scripting http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22 - SQL Injection > Info Disclosure http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27 6. SOLUTION Upgrade to 1.7.11 or higher. 7. VENDOR Curverider Ltd http://www.curverider.co.uk/ http://elgg.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-08-01: vulnerability reported 2011-08-15: vendor released fixed version 2011-08-18: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin Project Home: http://elgg.org/ Vendor Release Note: http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released #yehg [2011-08-18] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists