lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPYM6VxP7b-yKdOv3UVYS1Edwc+ZM-ncYW7GsK=+DJZd8k26aA@mail.gmail.com>
Date: Thu, 18 Aug 2011 14:17:54 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
  bugs@...uritytracker.com, vuln@...unia.com, secalert@...urityreason.com,
  news@...uriteam.com, vuln@...urity.nnov.ru, moderators@...db.org,
  submissions@...ketstormsecurity.org
Subject: Elgg 1.7.10 <= | Multiple Vulnerabilities

1. OVERVIEW

The Elgg 1.7.10 and lower versions are vulnerable to Cross Site
Scripting and SQL Injection.


2. BACKGROUND

Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Well-known Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)


3. VULNERABILITY DESCRIPTION

The "internalname" parameter is not properly sanitized, which allows
attacker to conduct Cross Site Scripting attack. This may allow an
attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The "tag_names" is not
properly sanitized, which allows attacker to conduct SQL Injection
attack.


4. VERSIONS AFFECTED

Elgg 1.7.10 <=


5. PROOF-OF-CONCEPT/EXPLOIT

- Cross Site Scripting

http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22

- SQL Injection > Info Disclosure

http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27


6. SOLUTION

Upgrade to 1.7.11 or higher.


7. VENDOR

Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-08-01: vulnerability reported
2011-08-15: vendor released fixed version
2011-08-18: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
Project Home: http://elgg.org/
Vendor Release Note:
http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released



#yehg [2011-08-18]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ