SecurityvulnsSECURITYVULNS:DOC:20894Social Engine 2.7 CRLF Injection + SQL injection
[HACKATTACK Advisory 2008-11-20]Social Engine 2.7 CRLF Injection + SQL injection
Details
Product: Social Engine
Security-Risk: moderate
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Vendor-Status: informed
Advisory-Status: published
Credits
Discovered by: David Vieira-Kurz of HACKATTACK IT SECURITY GmbH
http://www.HACKATTACK.at || http://www.HACKATTACK.eu
Affected Products:
Social Engine 2.7 and prior
Original Advisory:
http://www.HACKATTACK.at/
http://www.HACKATTACK.eu/
Introduction
SocialEngine is a PHP-based social network platform that lets you create a social network on your
website.
More Details
- SQL Injection:
Input passed to the POST variable "comment_secure" parameter in "profile_comments.php" is not
properly sanitised before being used in a SQL query.
- Cookie_Manipulation:
The cookie variable "PHPSESSID" is not properly sanitized before being used.
This can be exploited by injecting arbitrary custom headers using a carriage return linefeed
injection.
Solution
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed. You should also work with the "mysql_real_escape_string()"
php-function to ensure that sql statements
can't be delivered over the "get" variables. It's also possible to turn on magic_quotes, depending
on how you handle the quotes inside
of your script to make sure magic_quotes doesn't double escape the quotes.
Example:
clean = array();
$html = array();
$html['username'] = htmlentities($clean['username'],ENT_QUOTES,UTF-8');
?>
About HACKATTACK
HACKATTACK IT SECURITY GmbH is a Penetrationtest and security Auditing company located in Austria
and Germany.
Hotline Germany +49 (0)800 20 60 900
Hotline Austria +43 (0)06223 20 6210
More Information about HACKATTACK at
http://www.HACKATTACK.at || http://www.HACKATTACK.eu