Elgg version 1.8.8 suffers from an insecure installation vulnerability.
1e4bb604f2161f37a4acd42f8b02dc3f5b8876fc19bab006c1f3fd5af506bb3c
=============================================
- Release date: November 1st, 2012
- Discovered by: Enrico Cinquini & Danilo Massa
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Elgg unsecure installation vulnerability.
II. INTRODUCTION
-------------------------
After installing Elgg many default files and directory are created,
including those
contained in the directory /install/.
By default, it is possible to call these files from Internet using a
standard browser.
IV. DESCRIPTION
-------------------------
Calling install/cli/sample_installer.php there is a partial re-installation
of the application that causes malfunction to the service itself and the
partial
alteration of the Elgg database.
V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed to check if a Elgg
installation is vulnerable.
Using a browser go to the following URL:
http://<elgg_url>/install/js/install.js
A vulnerable Elgg installation will show the install.js code, a secured
installation will not find the page.
VI. BUSINESS IMPACT
-------------------------
An attacker could damage the Elgg installation.
VII. SYSTEMS AFFECTED
-------------------------
Version 1.8.8 is vulnerable.
VIII. SOLUTION
-------------------------
Remove the Elgg install/ directory after installation.
It is recommended to remove all the other files used during the
installation (eg install.php, upgrade.php etc.)
IX. REFERENCES
-------------------------
Elgg's wiki:
http://docs.elgg.org/wiki/Main_Page
X. CREDITS
-------------------------
The vulnerability has been discovered by:
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com
Danilo Massa massa(under_score)danilo(at)gmail(dot)com
XI. VULNERABILITY HISTORY
-------------------------
September 28th, 2012: Vulnerability identification
October 1st, 2012: Vendor notification
November 1st, 2012: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.