Telligent Community Server version 5.x suffers from multiple stored and reflected cross site scripting vulnerabilities.
34fa5fa62fc1c5f83cb2b324c3d252bc5d58128d95559f31576161f61015156b
Editor's note: 4 Advisories are grouped together here.
=======================================================================
*Community Server - Stored Cross-site Scripting in user's signature.
*
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's
5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts (Cross-site Scripting) in user's signature,
using BBCode Tag's processing errors.
- Proof of Concept:
Set an user's signature to:
[img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img]
An alert will be show in every topic the user posts in and also in its
profile.
- Affected Versions:
Community Server 2007
(may affect others)
- Unaffected Versions:
Telligent Community 5.x or earlier
- Timeline:
[05/25/10] Vulnerability details sent to address for security related
contacts present at company's website, although the address did not exist.
[05/26/10] Ticket opened asking for contact to send off vulnerability
details.
[05/26/10] Ticket's answer received, containing e-mail for the sending of
vulnerability details.
[05/26/10]Vulnerability details sent.
[05/26/10] Answer received informing that vulnerability did not exist on
latest versions of the product.
[07/15/11] Advisory published.
- Credits:
PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher:
Gabriel Lima (gabriel <at> pontosec.com)
=======================================================================
Community Server - Reflected Cross-Site Scripting - TagSelector.aspx
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts at the page (Cross-site Scripting)
through the TagEditor parameter (GET) from /utility/TagSelector.aspx.
- Proof of Concept:
When accessing the TagSelector.aspx file, setting the TagEditor value
as );%0Aalert(1);</script> , an alert box containing a number 1
appears, confirming the vulnerability.
Example: http://site.example/utility/TagSelector.aspx?TagEditor=);%0Aalert(1);</script>
- Affected Versions:
Community Server 2007
Community Server 2008
(may affect others)
- Unaffected Versions:
Telligent Community 5.x or earlier
- Timeline:
[05/25/10] Vulnerability details sent to address for security related
contacts present at company's website, although the address did not
exist.
[05/26/10] Ticket opened asking for contact to send off vulnerability details.
[05/26/10] Ticket's answer received, containing e-mail for the sending
of vulnerability details.
[05/26/10] Vulnerability details sent.
[05/26/10] Answer received informing that vulnerability did not exist
on latest versions of the product.
[07/15/11] Advisory published.
Credits:
PontoSec - Segurança da Informação < http://www.pontosec.com > -
Researcher: Gabriel Lima (gabriel <at> pontosec.com)
=======================================================================
Community Server - Reflected Cross-Site Scripting - TagSelector.aspx
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts at the page (Cross-site Scripting)
through the TagEditor parameter (GET) from /utility/TagSelector.aspx.
- Proof of Concept:
When accessing the TagSelector.aspx file, setting the TagEditor value
as );%0Aalert(1);</script> , an alert box containing a number 1
appears, confirming the vulnerability.
Example: http://site.example/utility/TagSelector.aspx?TagEditor=);%0Aalert(1);</script>
- Affected Versions:
Community Server 2007
Community Server 2008
(may affect others)
- Unaffected Versions:
Telligent Community 5.x or earlier
- Timeline:
[05/25/10] Vulnerability details sent to address for security related
contacts present at company's website, although the address did not
exist.
[05/26/10] Ticket opened asking for contact to send off vulnerability details.
[05/26/10] Ticket's answer received, containing e-mail for the sending
of vulnerability details.
[05/26/10] Vulnerability details sent.
[05/26/10] Answer received informing that vulnerability did not exist
on latest versions of the product.
[07/15/11] Advisory published.
Credits:
PontoSec - Segurança da Informação < http://www.pontosec.com > -
Researcher: Gabriel Lima (gabriel <at> pontosec.com)
=======================================================================
Community Server - Stored Cross-site Scripting in user's signature.
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts (Cross-site Scripting) in user's
signature, using BBCode Tag's processing errors.
- Proof of Concept:
Set an user's signature to:
[img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img]
An alert will be show in every topic the user posts in and also in its profile.
- Affected Versions:
Community Server 2007
(may affect others)
- Unaffected Versions:
Telligent Community 5.x or earlier
- Timeline:
[05/25/10] Vulnerability details sent to address for security related
contacts present at company's website, although the address did not
exist.
[05/26/10] Ticket opened asking for contact to send off vulnerability details.
[05/26/10] Ticket's answer received, containing e-mail for the sending
of vulnerability details.
[05/26/10]Vulnerability details sent.
[05/26/10] Answer received informing that vulnerability did not exist
on latest versions of the product.
[07/15/11] Advisory published.
- Credits:
PontoSec - Segurança da Informação < http://www.pontosec.com > -
Researcher: Gabriel Lima (gabriel <at> pontosec.com)