Multiple Vulns in Psychoblogger beta1

[Andrew Smith <parenthesis@xxxxxxxxxxxxxx>]

Hello Bugtraq,

As a part of a recent code audit of the Psychoblogger beta1 code, multiple 
vulnerabilities were found in the standard distributed code base.

These vulnerabilities range from XSS exploits to SQL Injection exploits.

All details in attached advisory or at 
http://www.fribble.net/advisories/psychoblogger_19-12-03.txt

Kind Regards,

Calum Power
PS - Happy Christmas to everyone =)


_____________________________________________________________
Get 'yourname@xxxxxxxxxxxxxx' free with 6mb of free email storage space! Visit 
http://www.elitehaven.net

---------------------------------------
Title: Multiple vulnerabilities in Psychoblogger CMS package

Package description (From vendor website):
"This is a PHP/MySQL blogging tool with many features."

Vendor website:
http://www.psychoblogger.com

Affected versions:
To the best of my knowlege, there is only one public release available; PB-beta1
There may or may not have been some private developement done (unconfirmed).

Summary:
Psychoblogger is a CMS package aimed at providing weblogs (or 'blogs') with an 
easy to set up
system for editing and authoring the content.
The standard package has many inherit vulnerabilities that may allow the 
compromise of a web server
or website using the distributed code. 

Vendor Contact:
Author contacted, advisory acknowledged, fixes to be released soon.

---------------------------------------
Vulnerabilities


VULN #1:
    There is a Cross-Site-Scriting vulnerability in the script 'imageview.php', 
    which allows for insertion of scripting on the client-side. This can be 
exploited by setting
    the 'desc' get variable. This variable is printed without any checking, in 
between the <title> tags.
    Because scripting cannot be inserted directly into the title, one must 
first break out of the <title> tag.
    This can be exploited like so:
    
http://server.com/imageview.php?desc=</title><script>alert(document.cookie)</script>
    
    IMPACT: Low/Medium - This vulnerability may be able to be exploited to 
hijack the session of a currently logged-in
    editor, and thus gaining administrative privileges over the weblog. 
However, (as usual) XSS vulns are quite hard to
    exploit successfully.

VULN #2
    A Cross-site-scripting vulnerability exists in the script 'entryadmin.php', 
'authoredit.php', 'blockedit.php'
    'configadmin.php' and 'quoteedit.php'. These vulnerabilities can be 
exploited by using a URI similar to the one below:
    
http://server.com/entryadmin.php?error=1&errormessage=<script>alert('xss')</script>
    
    IMPACT: Low - These vulnerabilities may only be exploited if the user is 
currently logged in to the 'editor'
    interface, and as such may be incredibly hard to exploit successfully.

VULN #3
    A SQL-Injection vulnerability exists in the 'shouts.php' by using the 
variable 'shoutlimit'.
    I have not been able to succesfully exploit this vulnerability to any great 
extent using UNION, as the original
    script query already includes a 'order by' statement. However, the severity 
of this vuln is still quite large, 
    and if any wishes to provide some POC code for this, please let me know =)
    
    IMPACT: Severe - SQL-Injection vulnerabilities can be used to obtain 
usernames and passwords of preveliged accounts
    on the website.

VULN #4
    Another SQL-Injection vulnerability exists in the comments.php script, 
using the variable 'blogid'.
    By sending a HTTP 'POST' request to the file 'comments.php', with the 
variable 'blogid' set to the exploit string below,
    an attacker could potentially obtain encrypted passwords for later 
brute-forcing.
    The SQL injection that could exploit this vulnerability is demonstrated 
here:
        1 and 'a'='z' union select 
ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors 
ba, blog_entries be where 'a'='a'
    This string manipulates the SQL query into looking something like this:
        select 
blogid,preview,entry,be.dateentered,title,pageviews,usepreview,name from 
blog_entries be inner join blog_authors ba on be.authorid=ba.authorid 
        where blogid=1 and 'a'='z' union select 
ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors 
ba, blog_entries be where 'a'='a' 
        and be.active=1
    Which returns a result set that lists the user rights of the first user in 
the database (usually the administrator)
    
    IMPACT: Critical - This vulnerability could allow for the stealing of 
encrypted passwords from the database, 
    which then allows them to be brute-forced
    
VULN #5
    A third SQL-Injection vulnerability exists in the script 'functions.php' in 
the method blogs() where a SQL query is built.
    (Note: The actual query is executed in 'userfunctions.php', method 
showblogs() in the appropriate skins directory)
    By sending a request to the script 'category.php', one can manipulate the 
string into outputting an author password.
    The SQL injection that could exploit this string is thus:
        1 and 1=2 union select 
ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from 
blog_authors ba, blog_entries be where 1=1
    This would manipulate the string into something like this:
        select 
be.blogid,be.preview,be.entry,be.dateentered,be.title,be.pageviews,be.usepreview,ba.name,be.pinned
 from blog_entries be inner join blog_authors ba 
        on be.authorid=ba.authorid where catid=1 and 1=2 union select 
ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from 
blog_authors ba, 
        blog_entries be where 1=1 and be.active=1 order by be.dateentered desc
    
    IMPACT: Critical - This vulnerability might allow for the stealing of 
encrypted password strings from the database.