Social Engine 2.7 CRLF Injection + SQL injection

2008.11.21
Credit: office_at_hackattack.at
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-6120 | CVE-2008-6121
CWE: CWE-89

[HACKATTACK Advisory 2008-11-20]Social Engine 2.7 CRLF Injection + SQL injection Details ************************ Product: Social Engine Security-Risk: moderate Remote-Exploit: yes Vendor-URL: http://www.socialengine.net/ Vendor-Status: informed Advisory-Status: published Credits ************************ Discovered by: David Vieira-Kurz of HACKATTACK IT SECURITY GmbH http://www.HACKATTACK.at || http://www.HACKATTACK.eu Affected Products: ---------------------------- Social Engine 2.7 and prior Original Advisory: ************************ http://www.HACKATTACK.at/ http://www.HACKATTACK.eu/ Introduction ************************ SocialEngine is a PHP-based social network platform that lets you create a social network on your website. More Details ************************ 1. SQL Injection: --------------------- Input passed to the POST variable "comment_secure" parameter in "profile_comments.php" is not properly sanitised before being used in a SQL query. 2. Cookie_Manipulation: --------------------- The cookie variable "PHPSESSID" is not properly sanitized before being used. This can be exploited by injecting arbitrary custom headers using a carriage return linefeed injection. Solution ************************ Edit the source code to ensure that input is properly sanitised. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags are not going to be executed. You should also work with the "mysql_real_escape_string()" php-function to ensure that sql statements can't be delivered over the "get" variables. It's also possible to turn on magic_quotes, depending on how you handle the quotes inside of your script to make sure magic_quotes doesn't double escape the quotes. Example: # clean = array(); # $html = array(); # $html['username'] = htmlentities($clean['username'],ENT_QUOTES,UTF-8'); ?> About HACKATTACK ================ HACKATTACK IT SECURITY GmbH is a Penetrationtest and security Auditing company located in Austria and Germany. Hotline Germany +49 (0)800 20 60 900 Hotline Austria +43 (0)06223 20 6210 More Information about HACKATTACK at http://www.HACKATTACK.at || http://www.HACKATTACK.eu


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top