Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Elgg unsecure installation vulnerability

From: Enrico Cinquini <enrico.cinquini () gmail com>
Date: Thu, 1 Nov 2012 15:15:51 +0100
=============================================
- Release date: November 1st, 2012
- Discovered by: Enrico Cinquini & Danilo Massa
- Severity: High
=============================================

 I. VULNERABILITY
-------------------------

Elgg unsecure installation vulnerability.


 II. INTRODUCTION
-------------------------

After installing Elgg many default files and directory are created,
including those
contained in the directory /install/.
By default, it is possible to call these files from Internet using a
standard browser.


 IV. DESCRIPTION
-------------------------

Calling install/cli/sample_installer.php there is a partial re-installation
of the application that causes malfunction to the service itself and the
partial
alteration of the Elgg database.


V. PROOF OF CONCEPT
-------------------------

Below is a harmless test that can be executed to check if a Elgg
installation is vulnerable.

Using a browser go to the following URL:

http://<elgg_url>/install/js/install.js

A vulnerable Elgg installation will show the install.js code, a secured
installation will not find the page.


VI. BUSINESS IMPACT
-------------------------

An attacker could damage the Elgg installation.


 VII. SYSTEMS AFFECTED
-------------------------

Version 1.8.8 is vulnerable.


VIII. SOLUTION
-------------------------

Remove the Elgg install/ directory after installation.
It is recommended to remove all the other files used during the
installation (eg install.php, upgrade.php etc.)


IX. REFERENCES
-------------------------

Elgg's wiki:

http://docs.elgg.org/wiki/Main_Page


X. CREDITS
-------------------------

The vulnerability has been discovered by:

Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com
Danilo Massa massa(under_score)danilo(at)gmail(dot)com


XI. VULNERABILITY HISTORY
-------------------------

September 28th, 2012: Vulnerability identification
October 1st, 2012: Vendor notification
November 1st, 2012: Vulnerability disclosure

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: