Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a
free photoblog script designed for posting news & slideshows.
http://www.phpblogger.com
Attached is the advisory which details the vulnerability.
Thanks,
OS2A
PHP-Blogger Multiple Cross Site Scripting Vulnerabilities
OS2A ID: OS2A_1006 Status:
14/06/2006 Issue Discovered
23/06/2006 Reported to the vendor
(No response on repeated notification)
07/07/2006 Advisory Released
Class: Cross Site Scripting Severity: Medium
Overview:
---------
PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog.
http://www.phpblogger.com
Description:
------------
Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in
admin/actions.php.
Successful exploitation requires authentication.
Impact:
-------
A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the victim's
cookie-based authentication credentials.
Affected Software(s):
---------------------
PHP-Blogger 2.2.5 (prior versions may also be vulnerable)
Proof of Concept:
-----------------
Sample exploits
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=new_news
Vulnerable fields: Title, News
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=new_slideshow
Vulnerable fields: Description
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p
hp?action=install
Vulnerable fields: Site name
Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit.
Analysis:
---------
Vulnerable code in admin/actions.php (example snippet)
$id = getValue("id");
$title = getValue("title");
$description = getValue("description");
$Post = $Blogger->getPost($id);
$folder = $Post->getDir();
$Post->setTitle($title);
$Post->setDescription($description);
$file = getPostFiles("pic0");
Input passed to many of the parameters in this script are not properly sanitized
before being used.
CVSS Score Report:
------------------
ACCESS_VECTOR = REMOTE
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
IMPACT_BIAS = CONFIDENTIALITY
EXPLOITABILITY = POC
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C)
CVSS Temporal Score = 2.8
Risk factor = Medium
Solution:
---------
Edit the source code to sanitize the user input values.
Credits:
--------
Pavithra Hanchagaiah of OS2A has been credited with the discovery of this
vulnerability.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum