============================================= - Release date: November 1st, 2012 - Discovered by: Enrico Cinquini & Danilo Massa - Severity: High ============================================= I. VULNERABILITY ------------------------- Elgg unsecure installation vulnerability. II. INTRODUCTION ------------------------- After installing Elgg many default files and directory are created, including those contained in the directory /install/. By default, it is possible to call these files from Internet using a standard browser. IV. DESCRIPTION ------------------------- Calling install/cli/sample_installer.php there is a partial re-installation of the application that causes malfunction to the service itself and the partial alteration of the Elgg database. V. PROOF OF CONCEPT ------------------------- Below is a harmless test that can be executed to check if a Elgg installation is vulnerable. Using a browser go to the following URL: http:///install/js/install.js A vulnerable Elgg installation will show the install.js code, a secured installation will not find the page. VI. BUSINESS IMPACT ------------------------- An attacker could damage the Elgg installation. VII. SYSTEMS AFFECTED ------------------------- Version 1.8.8 is vulnerable. VIII. SOLUTION ------------------------- Remove the Elgg install/ directory after installation. It is recommended to remove all the other files used during the installation (eg install.php, upgrade.php etc.) IX. REFERENCES ------------------------- Elgg's wiki: http://docs.elgg.org/wiki/Main_Page X. CREDITS ------------------------- The vulnerability has been discovered by: Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com Danilo Massa massa(under_score)danilo(at)gmail(dot)com XI. VULNERABILITY HISTORY ------------------------- September 28th, 2012: Vulnerability identification October 1st, 2012: Vendor notification November 1st, 2012: Vulnerability disclosure XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.