Social Engine 2.7 CRLF Injection + SQL injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Social Engine 2.7 CRLF Injection + SQL injection
From: office@xxxxxxxxxxxxx
Date: Thu, 20 Nov 2008 10:20:21 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[HACKATTACK Advisory 2008-11-20]Social Engine 2.7 CRLF Injection + SQL injection

Details
************************
Product: Social Engine
Security-Risk: moderate
Remote-Exploit: yes
Vendor-URL: http://www.socialengine.net/
Vendor-Status: informed
Advisory-Status: published

Credits
************************
Discovered by: David Vieira-Kurz of HACKATTACK IT SECURITY GmbH
http://www.HACKATTACK.at || http://www.HACKATTACK.eu

Affected Products:
----------------------------
Social Engine 2.7 and prior

Original Advisory:
************************
http://www.HACKATTACK.at/
http://www.HACKATTACK.eu/
Introduction
************************
SocialEngine is a PHP-based social network platform that lets you create a 
social network on your website.

More Details
************************
1. SQL Injection:
---------------------
Input passed to the POST variable "comment_secure" parameter in 
"profile_comments.php" is not properly sanitised before being used in a SQL 
query.


2. Cookie_Manipulation:
---------------------
The cookie variable "PHPSESSID" is not properly sanitized before being used.
This can be exploited by injecting arbitrary custom headers using a carriage 
return linefeed injection. 


Solution
************************
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to 
ensure that html tags
are not going to be executed. You should also work with the 
"mysql_real_escape_string()" php-function to ensure that sql statements
can't be delivered over the "get" variables. It's also possible to turn on 
magic_quotes, depending on how you handle the quotes inside
of your script to make sure magic_quotes doesn't double escape the quotes. 

Example:
# clean = array();
# $html = array();
# $html['username'] = htmlentities($clean['username'],ENT_QUOTES,UTF-8'); 
?>

About HACKATTACK
================
HACKATTACK IT SECURITY GmbH is a Penetrationtest and security Auditing company 
located in Austria and Germany.

Hotline Germany +49 (0)800 20 60 900
Hotline Austria +43 (0)06223 20 6210
More Information about HACKATTACK at
http://www.HACKATTACK.at || http://www.HACKATTACK.eu

Prev by Date: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow
Next by Date: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow
Previous by thread: [security bulletin] HPSBMA02388 SSRT080059 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Cross Site Scripting (XSS)
Next by thread: SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass
Index(es):
- Date
- Thread