SECURITY ADVISORY CS-2008-2 Vulnerability: Improper validation of external parameters Vendor: SocialEngine (http://www.socialengine.net) Affected versions: <2.83 Risk: High I. DESCRIPTION Improper validation of browser cookies leads to complete control over client host. II. BACKGROUND During client authentication, cookies are used as an input parameters for authorization and validation of identity both as user and as an administrator. It is possible to construct specially crafted cookie parameters which will cause sql injection and give full administrative access rights. Additionally, having full write access templates for smarty based engine, together with all-allow security level for the templates processing, allows injection of php code into templates, gaining complete and undetected control of the server, such as direct access to file system, direct access to any databases. III. ANALYSIS 1. user level entry path via include/class_user.php user_checkCookies -> se_user 2. admin level entry path via include/class_admin.php admin_checkCookies -> se_admin IV. POC EXPLOIT not disclosed, submitted to vendor V. DISCLOSURE TIMELINE 10-Jul-2008 Initial vendor notification 11-Jul-2008 Vendor releases patch 22-Jul-2008 Public Disclosure VI. CREDITS Creogenic Security Tim Loshak tim.loshak (at) gmail (dot) com [email concealed]