CVE-2012-1903, Stored XSS, Javascript Injection, Telligent Community 5.6.583.20496

Telligent Community 5.6.583.20496 (Build: 5.6.583.20496)
CVE-2012-1903
Persistent Flash XSS

Keywords: Security, Web, Cross-Site Scripting, Private Bug Report, Dell, Community, Adobe Flash, Telligent, EoL, No Fix

The affected platform is based on the third-party community software Telligent Community 5.6.583.20496 (Build: 5.6.583.20496). The current release is Community 7.x and was not tested, Version 5 is EoL.

Introduction
Telligent Community is social community software designed for flexibility in building customer-facing communities that achieve your business objectives for improving customer support, building brand loyalty and strengthening member networks. With Telligent Community, you can elevate customer experience with a branded community that perfectly reflects your brand and spur engagement with a complete set of social applications that add social context and relevancy to customer communication. Telligent Community features essential integration with popular social networks including Facebook and Twitter as well as web parts that add social capabilities such as blogging, friending and following to Microsoft SharePoint Internet sites.

Exploit

Our researchers discovered a persistent Flash XSS vulnerability caused by two minor security flaws enabling the exploit to work properly and cause heavy impact.

1. A logged in attacker can abuse a Community website to upload a maliciously prepared Flash file. This file is available for public browsing after successful upload.
2. The Flash file is being embedded by an Object element. This element is supplied with a special parameter capable of delimiting the possibly dangerous scripting capabilities of the Flash file. While this parameter called allowScriptAccess should be set to the value never, it is actually set to SameDomain. This enables the uploaded file to fully utilize scripting capabilities and cause XSS hazard.

The affected platform is based on the third-party community software Telligent Community 5.6.583.20496 (Build: 5.6.583.20496).

A Proof Of Concept (PoC) link was demonstrated to a Target and PoC provided in March 2012.

REWARD: 1250 EURO to ANONYMOUS

Bug Metrics:

Impact: High – complete control over a Community website and other Dell domains; Possibility to deploy Flash Malware and Virus Code

Exploitability: Critical – Any user visiting the maliciously prepared website can be affected. The potential victims do not have to be logged in. The attacker requires the victim to have a current version of the Flash Player installed.

Overall Score: Critical – Escalation of Privileges, Persistent Data Modification, Information Disclosure, Malware Distribution

Timeline:

April 9, 2012 – Received confirm of Receipt from Telegent
October 23, 2012 –  Response from Vendor with Ticket ref:_00D408i2C._50040NKYr7:ref
March 25, 2013 – No response from Vendor, Published

Note – Version 5 is EoL