'Re: [oss-security] CVE Request: Elgg 1.7.10 <=

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Elgg 1.7.10 <= | Multiple
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-08-19 19:17:10
Message-ID: 168586529.142226.1313781430377.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2011-2935 for the XSS issue.

CVE-2011-2936 for the SQL injection issue.

Thanks.

-- 
    JB


----- Original Message -----
> 1. OVERVIEW
> 
> The Elgg 1.7.10 and lower versions are vulnerable to Cross Site
> Scripting and SQL Injection.
> 
> 
> 2. BACKGROUND
> 
> Elgg is an award-winning social networking engine, delivering the
> building blocks that enable businesses, schools, universities and
> associations to create their own fully-featured social networks and
> applications. Well-known Organizations with networks powered by Elgg
> include: Australian Government, British Government, Federal Canadian
> Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
> Johns Hopkins University and more (http://elgg.org/powering.php)
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The "internalname" parameter is not properly sanitized, which allows
> attacker to conduct Cross Site Scripting attack. This may allow an
> attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser. The "tag_names" is not
> properly sanitized, which allows attacker to conduct SQL Injection
> attack.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Elgg 1.7.10 <=
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> - Cross Site Scripting
> 
> http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22 \
> width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22
>  
> - SQL Injection > Info Disclosure
> 
> http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27
> 
> 
> 6. SOLUTION
> 
> Upgrade to 1.7.11 or higher.
> 
> 
> 7. VENDOR
> 
> Curverider Ltd
> http://www.curverider.co.uk/
> http://elgg.org/
> 
> 
> 8. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2011-08-01: vulnerability reported
> 2011-08-15: vendor released fixed version
> 2011-08-18: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin
> Project Home: http://elgg.org/
> Vendor Release Note:
> http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released
> 
> 
> 
> #yehg [2011-08-18]


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic