SocialEngine Multiple SQL Injection Vulnerabilities

Bugtraq ID:	30342
Class:	Input Validation Error
CVE:	CVE-2008-3297
Remote:	Yes
Local:	No
Published:	Jul 22 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	Tim Loshak from Creogenic Security
Vulnerable:	Social Engine Social Engine 2.81 Social Engine Social Engine 2.71 Social Engine Social Engine 2.0
Not Vulnerable:	Social Engine Social Engine 2.83

SocialEngine Multiple SQL Injection Vulnerabilities

SocialEngine is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to SocialEngine 2.83 are vulnerable.

SocialEngine Multiple SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

SocialEngine Multiple SQL Injection Vulnerabilities

Solution:
The vendor has released a patch. Please see the references for more information.


Social Engine Social Engine 2.0

• Social Engine socialengine283_patch.zip
  http://community.socialengine.net/tutorials/socialengine283_patch.zip

Social Engine Social Engine 2.81

• Social Engine socialengine283_patch.zip
  http://community.socialengine.net/tutorials/socialengine283_patch.zip

Social Engine Social Engine 2.71

• Social Engine socialengine283_patch.zip
  http://community.socialengine.net/tutorials/socialengine283_patch.zip

SocialEngine Multiple SQL Injection Vulnerabilities

References:

• Important Security Patch Released - SE 2.83 (SocialEngine)
  
• Vendor Homepage (SocialEngine)
  
• Vulnerability: SocialEngine (SocialEngine.net) high risk security flaw ("Tim Loshak" )