Simple PHP Blog Multiple Vulnerabilities
Secure Network - Security Research Advisory
Vuln name: Simple PHP Blog Multiple Vulnerabilities
Systems affected: simplePHPBlog 0.5.0.1, simplePHPBlog 0.4.8 and all previous
versions
Systems not affected: -
Severity: Medium
Local/Remote: Remote
Vendor URL: http://www.simplephpblog.com/
Author(s): Luca "ikki" Carettoni - luca.carettoni@xxxxxxxxxxxxxxxx, Luca
"Daath" De Fulgentis - daath@xxxxxxxxxxxxxx
Vendor disclosure: 14th September 2007
Vendor acknowledged: 14th September 2007
Vendor patch release: 23rd September 2007
Public disclosure: 25th September 2007
Advisory number: SN-2007-03
Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY ***
Simple PHP Blog is a blogging application that was written with simplicity of
installation and maintenance in mind.
Unlike other blog software, there is almost no setup because it uses flat text
files.
Multiple vulnerabilities have been reported in the latest version of this web
application; probably all previous versions are affected to the same issues.
The specific issues include multiple cross-site scripting flaws and an
arbitrary file upload vulnerability.
Various consequences are associated with these issues, such as theft of
cookie-based authentication credentials and arbitrary remote code execution.
In order to exploit the arbitrary file upload vulnerability, a regular user
should be authenticated. It should be noted that the latest versions of the
application haven't multiple users support. Anyway, exploiting the XSS flaw is
possible to steal the authentication token and then exploit the other
vulnerability in order to execute arbitrary code (such a PHP shell).
*** VULNERABILITY DETAILS ***
(a) Cross Site Scripting (XSS)
Mutiple reflected XSS have been found in the "\themes\<themes
name>\user_style.php" file.
Looking inside the application source code:
###### CUT HERE ######
<style type="text/css">
body {
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
###### CUT HERE ######
It's easy to see that the "user_colors[bg_color]" is not validated and it's
used directly inside an echo function.
Sending a trivial HTTP request against PHP environments having register global
ON is possible to exploit this unvalidated user input flaw.
In detail, It's necessary to append a close HTML tag </style> before the
malicious JavaScript code.
The same problem arises in different point of the same script, for each
different theme template:
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'header_txt_color' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'header_bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'footer_txt_color' ] ); ?>;
background: #<?php echo( $user_colors[ 'footer_bg_color' ] ); ?>;
border-top: 1px solid #<?php echo( $user_colors[ 'border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_reg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_hi_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'link_down_color' ] ); ?>;
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;
(b) Arbitrary File Upload Vulnerability
Simple PHP Blog is prone to an arbitrary file upload flaw because the
application fails to check the upload denied files.
In the file "upload_img_cgi.php" there's the following file content/extension
check:
###### CUT HERE ######
if ( @getimagesize($_FILES['userfile']['tmp_name']) == FALSE ){
echo('Image is not valid or not an image
file.');
exit;
// redirect_to_url( 'upload_img.php' );
}
###### CUT HERE ######
$upload_denied_extentions = array( "exe", "pl", "php",
"php3", "php4", "php5", "phps", "asp","cgi", "html", "htm", "dll", "bat", "cmd"
);
$extension = strtolower(substr(strrchr($uploadfile,
"."), 1));
foreach ($upload_denied_extentions AS
$denied_extention) {
if($denied_extention == $extension) {
echo('That filetype is not allowed');
exit;
}}
###### CUT HERE ######
Using a fake GIF image is possible to bypass the image content control and the
file extension check.
Creating a file called "exploit.php." with the following content:
GIF89aD
<?php phpinfo(); ?>
An attacker could upload the script on the "/images" directory inside the
application dir on the webserver.
Thanks to "by-design" behaviors of Apache httpd mod_mime parsing files with
multiple extensions, it's possible to execute the uploaded script.
In Microsoft Windows server environment it's possible too, due to the filename
with multiple dot handling.
Exploiting this issue could allow an attacker to upload and execute arbitrary
script code in the context of the affected webserver process.
*** EXPLOIT ***
Attackers may exploit this issue through a browser.
*** FIX INFORMATION ***
http://www.simplephpblog.com/index.php?entry=entry070923-004446
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.
This advisory is copyright © 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork@xxxxxxxxxxxxxxxx
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 402