elgg security issue

By pa

Hi,

One of our tester has found a security issue on elgg i.e. when hitting the url like

[[Edited for content]]

Can anyone please give me some suggestion.

Thanks

pa

 

 

 

  • What version of Elgg? I tried this with a 1.7 install and could not reproduce. Looking through the code, I don't see any way for this to succeed. The view parameter sets the viewtype, not the name of a file to be viewed.

  • We have Elgg1.5, PHP 5.2.6, apache 2.2.11 installed. I can reproduce the issue. It happens not only blog page, but also the following

    [[Edited for content]]

     

    pa

  • I have just tested with Elgg 1.7 installed, can not reproduce.  It looks like the problem happens only in Elgg 1.5.

    Unfortunately, our production is 1.5

    I think I will report this issue to security team.

    if anyone comes up with an idea, please suggest.

     

    Thanks

    pa

     

  • I have confirmed that this does not happen with 1.6 or 1.7 but does with 1.5. A good solution is to filter the viewtype in elgg_view to detect the presence of non-alphanumeric characters. As I understand it, you can expect a fix to this issue soon.

  • [[Edited for content]]

  • @pa - Security issues are to be reported to security@elgg.com!  Please stop posting them to the community site.

  • @Brett

    Report through e-mail?

    Btw, I tested the link above and it broke my site.  CSS was not applied.  I got some parts of my custom theme mixed with some style and formatting of the default theme.

    I'm using v1.7 and Firefox and IE8.

  • @GMA - Yes.  All security reports are to be submitted by an email to security@elgg.com.