Nibbleblog 4.0.1 Cross Site Scripting

2014-11-17T00:00:00
ID PACKETSTORM:129133
Type packetstorm
Reporter Manuel Garcia Cardenas
Modified 2014-11-17T00:00:00

Description

                                        
                                            `=============================================  
MGC ALERT 2014-002  
- Original release date: March 5, 2014  
- Last revised: November 17, 2014  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Reflected XSS in Nibbleblog <= v4.0.1  
  
II. BACKGROUND  
-------------------------  
Nibbleblog is a powerful engine for creating blogs, all you need is PHP to  
work.  
  
III. DESCRIPTION  
-------------------------  
Has been detected a reflected XSS vulnerability in Nibbleblog, that allows  
the execution of arbitrary HTML/script code to be executed in the context  
of the victim user's browser.  
  
The code injection is done through the parameter warning in the page  
index.php parameters "author_name" and "content".  
  
IV. PROOF OF CONCEPT  
-------------------------  
Malicious Request:  
http://vulnerablesite.com/nibbleblog/index.php?controller=post&action=view&id_post=1  
hash=10905d09405f5db41d3c6645fd23e72746f76106&author_name=<XSS  
injection>&author_email=&content=<XSS injection>  
  
Example:  
http://vulnerablesite.com/nibbleblog/index.php?controller=post&action=view&id_post=1  
hash=10905d09405f5db41d3c6645fd23e72746f76106&author_name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&author_email=&content=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted user's  
browser, this can leverage to steal sensitive information as user  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Nibbleblog <= v4.0.1  
  
VII. SOLUTION  
-------------------------  
Update to version 4.0.2  
  
VIII. REFERENCES  
-------------------------  
http://www.nibbleblog.com/  
http://blog.nibbleblog.com/post/nibbleblog-v4.0.2-coffee/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
March 5, 2014 1: Initial release  
November 17, 2014 2: Last revision  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas  
March 5, 2014 2: Send to vendor  
March 7, 2014 3: New version that includes patched code  
http://blog.nibbleblog.com/post/nibbleblog-v4.0.2-coffee/  
November 17, 2014 4: Sent to lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
  
`