PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

CVE	Category	Price	Severity
N/A	CWE-79	N/A	High

Author	Risk	Exploitation Type	Date
Exploit Alert	High	Remote	2006-07-14

CPE	PURL
cpe:Not available	pkg:Not available

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070053

Below is a copy:

Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a
free photoblog script designed for posting news & slideshows.
http://www.phpblogger.com

Attached is the advisory which details the vulnerability.

Thanks,
OS2A
PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

OS2A ID: OS2A_1006			Status:
					14/06/2006	Issue Discovered
					23/06/2006	Reported to the vendor
							(No response on repeated notification)
					07/07/2006	Advisory Released

Class: Cross Site Scripting		Severity: Medium

Overview:
---------
PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog.
http://www.phpblogger.com

Description:
------------
Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in 
admin/actions.php.

Successful exploitation requires authentication.

Impact:
-------
A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the victim's
cookie-based authentication credentials.

Affected Software(s):
---------------------
PHP-Blogger 2.2.5 (prior versions may also be vulnerable)

Proof of Concept:
-----------------
Sample exploits

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=new_news
Vulnerable fields: Title, News

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=new_slideshow
Vulnerable fields: Description

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=install
Vulnerable fields: Site name

Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit.

Analysis:
---------
Vulnerable code in admin/actions.php (example snippet)

$id = getValue("id");
  $title = getValue("title");
  $description = getValue("description");
  $Post = $Blogger->getPost($id);
  $folder = $Post->getDir();
  $Post->setTitle($title);
  $Post->setDescription($description);
  $file = getPostFiles("pic0");

Input passed to many of the parameters in this script are not properly sanitized
before being used.

CVSS Score Report:
------------------
    ACCESS_VECTOR          = REMOTE
    ACCESS_COMPLEXITY      = LOW
    AUTHENTICATION         = REQUIRED
    CONFIDENTIALITY_IMPACT = PARTIAL
    INTEGRITY_IMPACT       = PARTIAL
    AVAILABILITY_IMPACT    = NONE
    IMPACT_BIAS            = CONFIDENTIALITY
    EXPLOITABILITY         = POC
    REMEDIATION_LEVEL      = UNAVAILABLE
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C)
    CVSS Temporal Score    = 2.8
    Risk factor            = Medium

Solution:
---------
Edit the source code to sanitize the user input values.

Credits:
--------
Pavithra Hanchagaiah of OS2A has been credited with the discovery of this 
vulnerability.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum