Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Aug 2011 14:18:27 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Elgg 1.7.10 <= | Multiple Vulnerabilities

1. OVERVIEW

The Elgg 1.7.10 and lower versions are vulnerable to Cross Site
Scripting and SQL Injection.


2. BACKGROUND

Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Well-known Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)


3. VULNERABILITY DESCRIPTION

The "internalname" parameter is not properly sanitized, which allows
attacker to conduct Cross Site Scripting attack. This may allow an
attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The "tag_names" is not
properly sanitized, which allows attacker to conduct SQL Injection
attack.


4. VERSIONS AFFECTED

Elgg 1.7.10 <=


5. PROOF-OF-CONCEPT/EXPLOIT

- Cross Site Scripting

http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22

- SQL Injection > Info Disclosure

http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27


6. SOLUTION

Upgrade to 1.7.11 or higher.


7. VENDOR

Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-08-01: vulnerability reported
2011-08-15: vendor released fixed version
2011-08-18: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
Project Home: http://elgg.org/
Vendor Release Note:
http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released



#yehg [2011-08-18]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.