Simplog 0.9.3.2 XSS / XSRF

2009-11-18T00:00:00
ID PACKETSTORM:82747
Type packetstorm
Reporter Amol Naik
Modified 2009-11-18T00:00:00

Description

                                        
                                            `   
################################################################################  
Mutliple Vulnerabilities in Simplog v0.9.3.2  
  
Name Multiple vulnerabilities in Simplog  
Systems Affected Simplog 0.9.3.2 and possibly earlier versions  
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download  
Author Amol Naik (amolnaik4[at]gmail.com)  
Date 16/11/2009  
################################################################################  
  
  
############  
1. OVERVIEW  
############  
  
Simplog provides an easy way for users to add blogging capabilities to their existing websites.   
Simplog is written in PHP and compatible with multiple databases.   
Simplog also features an RSS/Atom aggregator/reader.  
  
###############  
2. DESCRIPTION  
###############  
  
Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.  
  
######################  
3. TECHNICAL DETAILS  
######################  
  
Summery:  
  
(A) Persistent Cross-site Scripting  
(B) Cross Site Request Forgery  
(C) Edit/Delete Comments (Bypassing Authorization)  
  
  
(A) Persistent Cross-site Scripting  
++++++++++++++++++++++++++++++++++++  
  
Vulnerable page comments.php  
Vulnerable Parameters cname, email  
  
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.  
  
++++  
POC  
++++  
  
Put this in the comment:  
  
Name: <script>alert("AMol_NAik")</script>  
email:"><script>alert("AMol_NAik")</script>  
  
  
(B) Cross Site Request Forgery  
+++++++++++++++++++++++++++++++  
  
Vulnerable Page user.php  
  
This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.  
  
++++  
POC  
++++  
  
http://localhost/simplog/user.php?pass1=<new_pass>&pass2=<new_pass>&blogid=<valid_blogid>&act=change  
  
  
For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".  
  
http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change   
  
  
(C) Edit/Delete Comments (Bypassing Authorization)  
+++++++++++++++++++++++++++++++++++++++++++++++++++  
  
Vulnerable Page comments.php  
Vulnerable Parameters op, cid  
  
The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.  
  
++++  
POC  
++++  
  
Edit comment: http://localhost/simplog/comments.php?op=edit&cid=<valid_comment_id>  
Delete Comment: http://localhost/simplog/comments.php?op=del&cid=<valid_comment_id>  
  
  
############  
4. TimeLine  
############  
  
03/11/2009 Bug Discovered  
03/11/2009 Reported to Vendor  
16/11/2009 No response received till the date  
16/11/2009 Public Disclosure`