Lucene search
K

Elgg 1.7.10 Cross Site Scripting / SQL Injection

🗓️ 18 Aug 2011 00:00:00Reported by Aung KhantType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 103 Views

Elgg 1.7.10 Cross Site Scripting / SQL Injection vulnerability in "internalname" paramete

Code
`1. OVERVIEW  
  
The Elgg 1.7.10 and lower versions are vulnerable to Cross Site  
Scripting and SQL Injection.  
  
  
2. BACKGROUND  
  
Elgg is an award-winning social networking engine, delivering the  
building blocks that enable businesses, schools, universities and  
associations to create their own fully-featured social networks and  
applications. Well-known Organizations with networks powered by Elgg  
include: Australian Government, British Government, Federal Canadian  
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,  
Johns Hopkins University and more (http://elgg.org/powering.php)  
  
  
3. VULNERABILITY DESCRIPTION  
  
The "internalname" parameter is not properly sanitized, which allows  
attacker to conduct Cross Site Scripting attack. This may allow an  
attacker to create a specially crafted URL that would execute  
arbitrary script code in a victim's browser. The "tag_names" is not  
properly sanitized, which allows attacker to conduct SQL Injection  
attack.  
  
  
4. VERSIONS AFFECTED  
  
Elgg 1.7.10 <=  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
- Cross Site Scripting  
  
http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22  
  
- SQL Injection > Info Disclosure  
  
http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27  
  
  
6. SOLUTION  
  
Upgrade to 1.7.11 or higher.  
  
  
7. VENDOR  
  
Curverider Ltd  
http://www.curverider.co.uk/  
http://elgg.org/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2011-08-01: vulnerability reported  
2011-08-15: vendor released fixed version  
2011-08-18: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin  
Project Home: http://elgg.org/  
Vendor Release Note:  
http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released  
  
  
  
#yehg [2011-08-18]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation