PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: PHP-Blogger Multiple Cross Site Scripting Vulnerabilities
From: "OS2A BTO" <os2a.bto@xxxxxxxxx>
Date: Fri, 7 Jul 2006 11:21:50 +0530
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ggek806dsdGOk8e1roBBeicy02ga4h58NcLaGsnKNoMrJo913GLxsvDsUMGDQmXXDASkhAbyeiwNSAkNajLt/6sfmQ2/+AJRLZdSvKvAHczSdU2OVyDXztBeR9+BOKd6nYLhmEHbzUx/3sytaDVynjCotrtJm/UlSv7xnffTrhY=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a
free photoblog script designed for posting news & slideshows.
http://www.phpblogger.com

Attached is the advisory which details the vulnerability.

Thanks,
OS2A

PHP-Blogger Multiple Cross Site Scripting Vulnerabilities


OS2A ID: OS2A_1006                      Status:
                                        14/06/2006      Issue Discovered
                                        23/06/2006      Reported to the vendor
                                                        (No response on 
repeated notification)
                                        07/07/2006      Advisory Released 


Class: Cross Site Scripting             Severity: Medium


Overview:
---------
PHP-Blogger is a free php script for creating a personal weblog (blog) or 
photoblog.
http://www.phpblogger.com

Description:
------------
Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in 
admin/actions.php. 

Successful exploitation requires authentication.  

Impact:
-------
A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the 
victim's
cookie-based authentication credentials.

Affected Software(s):
---------------------
PHP-Blogger 2.2.5 (prior versions may also be vulnerable)

Proof of Concept:
-----------------
Sample exploits

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_news
Vulnerable fields: Title, News

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_slideshow
Vulnerable fields: Description

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=install
Vulnerable fields: Site name

Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the 
the exploit.

Analysis:
---------
Vulnerable code in admin/actions.php (example snippet)

  $id = getValue("id");
  $title = getValue("title");
  $description = getValue("description");
  $Post = $Blogger->getPost($id);
  $folder = $Post->getDir();
  $Post->setTitle($title);
  $Post->setDescription($description);
  $file = getPostFiles("pic0");

Input passed to many of the parameters in this script are not properly sanitized
before being used. 

CVSS Score Report:
------------------
    ACCESS_VECTOR          = REMOTE
    ACCESS_COMPLEXITY      = LOW
    AUTHENTICATION         = REQUIRED
    CONFIDENTIALITY_IMPACT = PARTIAL
    INTEGRITY_IMPACT       = PARTIAL
    AVAILABILITY_IMPACT    = NONE
    IMPACT_BIAS            = CONFIDENTIALITY
    EXPLOITABILITY         = POC
    REMEDIATION_LEVEL      = UNAVAILABLE
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C)
    CVSS Temporal Score    = 2.8
    Risk factor            = Medium

Solution:
---------
Edit the source code to sanitize the user input values.

Credits:
--------
Pavithra Hanchagaiah of OS2A has been credited with the discovery of this 
vulnerability.

Prev by Date: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
Next by Date: ATutor : Cross-Site Scripting Vulnerabilities
Previous by thread: RE: WebEx Downloader Plug-in Multiple Vulnerabilities + rant
Next by thread: ATutor : Cross-Site Scripting Vulnerabilities
Index(es):
- Date
- Thread