Type packetstorm
Reporter Luca Carettoni
Modified 2007-09-26T00:00:00


                                            `Secure Network - Security Research Advisory  
Vuln name: Simple PHP Blog Multiple Vulnerabilities  
Systems affected: simplePHPBlog, simplePHPBlog 0.4.8 and all previous versions  
Systems not affected: -  
Severity: Medium  
Local/Remote: Remote  
Vendor URL: http://www.simplephpblog.com/  
Author(s): Luca "ikki" Carettoni - luca.carettoni@securenetwork.it, Luca "Daath" De Fulgentis - daath@webapptest.org  
Vendor disclosure: 14th September 2007  
Vendor acknowledged: 14th September 2007  
Vendor patch release: 23rd September 2007  
Public disclosure: 25th September 2007  
Advisory number: SN-2007-03  
Advisory URL: http://www.securenetwork.it/advisories/  
*** SUMMARY ***  
Simple PHP Blog is a blogging application that was written with simplicity of installation and maintenance in mind.  
Unlike other blog software, there is almost no setup because it uses flat text files.  
Multiple vulnerabilities have been reported in the latest version of this web application; probably all previous versions are affected to the same issues.  
The specific issues include multiple cross-site scripting flaws and an arbitrary file upload vulnerability.  
Various consequences are associated with these issues, such as theft of cookie-based authentication credentials and arbitrary remote code execution.  
In order to exploit the arbitrary file upload vulnerability, a regular user should be authenticated. It should be noted that the latest versions of the application haven't multiple users support. Anyway, exploiting the XSS flaw is possible to steal the authentication token and then exploit the other vulnerability in order to execute arbitrary code (such a PHP shell).  
(a) Cross Site Scripting (XSS)  
Mutiple reflected XSS have been found in the "\themes\<themes name>\user_style.php" file.   
Looking inside the application source code:  
###### CUT HERE ######  
<style type="text/css">  
body {  
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;  
###### CUT HERE ######  
It's easy to see that the "user_colors[bg_color]" is not validated and it's used directly inside an echo function.  
Sending a trivial HTTP request against PHP environments having register global ON is possible to exploit this unvalidated user input flaw.  
In detail, It's necessary to append a close HTML tag </style> before the malicious JavaScript code.  
The same problem arises in different point of the same script, for each different theme template:  
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;  
background-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;  
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;  
border-color: #<?php echo( $user_colors[ 'border_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'header_txt_color' ] ); ?>;  
background-color: #<?php echo( $user_colors[ 'header_bg_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'footer_txt_color' ] ); ?>;  
background: #<?php echo( $user_colors[ 'footer_bg_color' ] ); ?>;  
border-top: 1px solid #<?php echo( $user_colors[ 'border_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'headline_txt_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'date_txt_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;  
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;  
border-color: #<?php echo( $user_colors[ 'entry_text' ] ); ?>;  
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'link_reg_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'link_hi_color' ] ); ?>;  
color: #<?php echo( $user_colors[ 'link_down_color' ] ); ?>;  
border-color: #<?php echo( $user_colors[ 'inner_border_color' ] ); ?>;  
(b) Arbitrary File Upload Vulnerability  
Simple PHP Blog is prone to an arbitrary file upload flaw because the application fails to check the upload denied files.  
In the file "upload_img_cgi.php" there's the following file content/extension check:  
###### CUT HERE ######  
if ( @getimagesize($_FILES['userfile']['tmp_name']) == FALSE ){  
echo('Image is not valid or not an image file.');  
// redirect_to_url( 'upload_img.php' );  
###### CUT HERE ######  
$upload_denied_extentions = array( "exe", "pl", "php", "php3", "php4", "php5", "phps", "asp","cgi", "html", "htm", "dll", "bat", "cmd" );  
$extension = strtolower(substr(strrchr($uploadfile, "."), 1));  
foreach ($upload_denied_extentions AS $denied_extention) {  
if($denied_extention == $extension) {  
echo('That filetype is not allowed');  
###### CUT HERE ######  
Using a fake GIF image is possible to bypass the image content control and the file extension check.   
Creating a file called "exploit.php." with the following content:  
<?php phpinfo(); ?>  
An attacker could upload the script on the "/images" directory inside the application dir on the webserver.   
Thanks to "by-design" behaviors of Apache httpd mod_mime parsing files with multiple extensions, it's possible to execute the uploaded script.   
In Microsoft Windows server environment it's possible too, due to the filename with multiple dot handling.  
Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process.   
*** EXPLOIT ***  
Attackers may exploit this issue through a browser.  
Secure Network (www.securenetwork.it) is an information security company,  
which provides consulting and training services, and engages in security  
research and development.  
We are committed to open, full disclosure of vulnerabilities, cooperating  
with software developers for properly handling disclosure issues.  
This advisory is copyright © 2007 Secure Network S.r.l. Permission is  
hereby granted for the redistribution of this alert, provided that it is  
not altered except by reformatting it, and that due credit is given. It  
may not be edited in any way without the express consent of Secure Network  
S.r.l. Permission is explicitly given for insertion in vulnerability  
databases and similars, provided that due credit is given to Secure Network  
The information in the advisory is believed to be accurate at the time of  
publishing based on currently available information. This information is  
provided as-is, as a free service to the community by Secure Network  
research staff. There are no warranties with regard to this information.  
Secure Network does not accept any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
If you have any comments or inquiries, or any issue with what is reported  
in this advisory, please inform us as soon as possible.  
E-mail: securenetwork@securenetwork.it  
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc  
Phone: +39 0363 560 402