Vulnerability: SocialEngine (SocialEngine.net) high risk security flaw

2008-07-22T00:00:00
ID SECURITYVULNS:DOC:20208
Type securityvulns
Reporter Securityvulns
Modified 2008-07-22T00:00:00

Description

SECURITY ADVISORY CS-2008-2

Vulnerability: Improper validation of external parameters Vendor: SocialEngine (http://www.socialengine.net) Affected versions: <2.83 Risk: High

I. DESCRIPTION

Improper validation of browser cookies leads to complete control over client host.

II. BACKGROUND

During client authentication, cookies are used as an input parameters for authorization and validation of identity both as user and as an administrator. It is possible to construct specially crafted cookie parameters which will cause sql injection and give full administrative access rights. Additionally, having full write access templates for smarty based engine, together with all-allow security level for the templates processing, allows injection of php code into templates, gaining complete and undetected control of the server, such as direct access to file system, direct access to any databases.

III. ANALYSIS

  1. user level entry path via include/class_user.php

user_checkCookies -> se_user

  1. admin level entry path via include/class_admin.php

admin_checkCookies -> se_admin

IV. POC EXPLOIT

not disclosed, submitted to vendor

V. DISCLOSURE TIMELINE

10-Jul-2008 Initial vendor notification 11-Jul-2008 Vendor releases patch 22-Jul-2008 Public Disclosure

VI. CREDITS

Creogenic Security Tim Loshak tim.loshak@gmail.com