| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Nov 2008 10:20:21 -0700 From: office@...kattack.at To: bugtraq@...urityfocus.com Subject: Social Engine 2.7 CRLF Injection + SQL injection [HACKATTACK Advisory 2008-11-20]Social Engine 2.7 CRLF Injection + SQL injection Details ************************ Product: Social Engine Security-Risk: moderate Remote-Exploit: yes Vendor-URL: http://www.socialengine.net/ Vendor-Status: informed Advisory-Status: published Credits ************************ Discovered by: David Vieira-Kurz of HACKATTACK IT SECURITY GmbH http://www.HACKATTACK.at || http://www.HACKATTACK.eu Affected Products: ---------------------------- Social Engine 2.7 and prior Original Advisory: ************************ http://www.HACKATTACK.at/ http://www.HACKATTACK.eu/ Introduction ************************ SocialEngine is a PHP-based social network platform that lets you create a social network on your website. More Details ************************ 1. SQL Injection: --------------------- Input passed to the POST variable "comment_secure" parameter in "profile_comments.php" is not properly sanitised before being used in a SQL query. 2. Cookie_Manipulation: --------------------- The cookie variable "PHPSESSID" is not properly sanitized before being used. This can be exploited by injecting arbitrary custom headers using a carriage return linefeed injection. Solution ************************ Edit the source code to ensure that input is properly sanitised. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags are not going to be executed. You should also work with the "mysql_real_escape_string()" php-function to ensure that sql statements can't be delivered over the "get" variables. It's also possible to turn on magic_quotes, depending on how you handle the quotes inside of your script to make sure magic_quotes doesn't double escape the quotes. Example: # clean = array(); # $html = array(); # $html['username'] = htmlentities($clean['username'],ENT_QUOTES,UTF-8'); ?> About HACKATTACK ================ HACKATTACK IT SECURITY GmbH is a Penetrationtest and security Auditing company located in Austria and Germany. Hotline Germany +49 (0)800 20 60 900 Hotline Austria +43 (0)06223 20 6210 More Information about HACKATTACK at http://www.HACKATTACK.at || http://www.HACKATTACK.eu
Powered by blists - more mailing lists