Re: CVE Request: XSS in Elgg 1.8.12, 1.7.16 (core module "Twitter widget")

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/28/2013 05:15 PM, Moritz Naumann wrote:
> Hi,
>
> Elgg [1], versions 1.8.12 and 1.7.16 and earlier, bears a
> persistent script injection vulnerability in its core module
> "Twitter widget", which allows for XSS attacks.
>
> On installations which have the Twitter widget activated (disabled
> by default, but in use on many installations), any authenticated
> user may add the Twitter widget to their activity / dashboard page.
> Editing its configuration allows the user to set the
> twitter_username parameter. The value stored in this parameter will
> be echoed without sanitation [2] when the users' activity /
> dashboard page is requested (by the same or any other user,
> authenticated or not).
>
> According to changes committed [3] to their Git repository Elgg 
> developers will provide a fix for this issue in the upcoming (?)
> 1.8.13 release.
>
> Reported by: Moritz Naumann http://moritz-naumann.com
>
> A CVE ID has, to my knowledge, not yet been assigned. Secunia has 
> assigned it SA52007.
>
> A slightly more complete advisory should hit FD and Bugtraq any
> minute.
>
> Thanks,
>
> Moritz
>
> [1] http://elgg.org/ [2] 
> http://github.com/Elgg/Elgg/commit/a74a88501c41e89c8bcd7fc650ae2f8cc0a5003d#L2L21
[3]
> http://github.com/Elgg/Elgg/commit/19dc507c2fccb378be2a44a762edf6c1e7afa334#L0R11

Please
>
use CVE-2013-0234  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRB24+AAoJEBYNRVNeJnmTFlgP/2jFTtmzOwILfjUVaRwNN5Ik
e8trVYZZsnw/V+JL40ewD/2RboWx1WoPwDvF0zVSjXNdFWX6pm4jdWZ5BbTI9gE7
i+qXbJIu/GnxuuZdzZm3ApVlHvvKidmCM8hhFm4TEGaSHuuv44V87iPumoq5Wfwq
qnjAKzwLNZK1w6SapvO0PjT7GHszgjvfcVQG9E2FQoAvWqYmu9ZEY7/YIooRrG9m
S35Oqc8f5/H4YveqJcpQvfTEpoQRiHDzoU/48JBN28pfQlJ/wzWdV6cgjcFmRfQB
Hej5PJyoM9ItAz1955X46t2J5mwFPBwtB5iiDj6Ta7790+sfyAt0JcW1MecfFc4n
swIpJXxKnTpTK6+MyBTRGXr/NCC0DI3LjxkU8kVxdcBfaVkzYiA9funa+yySfq6r
56CuwFTDQsvVNJYqACVkpN9sEBKw4dq+1Lb/EXA/2GzHuyKLN0oJtFevjv7Zt0hh
fSEI67dABS02tbPmKUBTUvFKhC4HTRm/Tqtir04A34FgKtv6H3+GnkzDLTVzx6VV
JEDKQoIPBboGuxwpsWUfJ8fJQlbxvS45RNbdv2ZUUMa/OI6j6WsOCeQb+QKoZCbo
mlB0rbGxrnLuVd7hLSLEpvetsz+gJloEsgaogo02icEdga6j1ARYGEnXd0kVcgrT
TMf84SPAaJh4HXPzWPj/
=4nBC
-----END PGP SIGNATURE-----