PHP-Blogger Multiple Cross Site Scripting Vulnerabilities
Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a
free photoblog script designed for posting news & slideshows.
http://www.phpblogger.com
Attached is the advisory which details the vulnerability.
Thanks,
OS2A
PHP-Blogger Multiple Cross Site Scripting Vulnerabilities
OS2A ID: OS2A_1006 Status:
14/06/2006 Issue Discovered
23/06/2006 Reported to the vendor
(No response on
repeated notification)
07/07/2006 Advisory Released
Class: Cross Site Scripting Severity: Medium
Overview:
---------
PHP-Blogger is a free php script for creating a personal weblog (blog) or
photoblog.
http://www.phpblogger.com
Description:
------------
Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in
admin/actions.php.
Successful exploitation requires authentication.
Impact:
-------
A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the
victim's
cookie-based authentication credentials.
Affected Software(s):
---------------------
PHP-Blogger 2.2.5 (prior versions may also be vulnerable)
Proof of Concept:
-----------------
Sample exploits
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_news
Vulnerable fields: Title, News
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_slideshow
Vulnerable fields: Description
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=install
Vulnerable fields: Site name
Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the
the exploit.
Analysis:
---------
Vulnerable code in admin/actions.php (example snippet)
$id = getValue("id");
$title = getValue("title");
$description = getValue("description");
$Post = $Blogger->getPost($id);
$folder = $Post->getDir();
$Post->setTitle($title);
$Post->setDescription($description);
$file = getPostFiles("pic0");
Input passed to many of the parameters in this script are not properly sanitized
before being used.
CVSS Score Report:
------------------
ACCESS_VECTOR = REMOTE
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
IMPACT_BIAS = CONFIDENTIALITY
EXPLOITABILITY = POC
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C)
CVSS Temporal Score = 2.8
Risk factor = Medium
Solution:
---------
Edit the source code to sanitize the user input values.
Credits:
--------
Pavithra Hanchagaiah of OS2A has been credited with the discovery of this
vulnerability.