Vulners
Lucene search
Simplog 0.9.3.2 XSS / XSRF
`
################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2
Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################
############
1. OVERVIEW
############
Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.
###############
2. DESCRIPTION
###############
Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.
######################
3. TECHNICAL DETAILS
######################
Summery:
(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)
(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++
Vulnerable page comments.php
Vulnerable Parameters cname, email
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.
++++
POC
++++
Put this in the comment:
Name: <script>alert("AMol_NAik")</script>
email:"><script>alert("AMol_NAik")</script>
(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++
Vulnerable Page user.php
This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.
++++
POC
++++
http://localhost/simplog/user.php?pass1=<new_pass>&pass2=<new_pass>&blogid=<valid_blogid>&act=change
For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".
http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change
(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerable Page comments.php
Vulnerable Parameters op, cid
The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.
++++
POC
++++
Edit comment: http://localhost/simplog/comments.php?op=edit&cid=<valid_comment_id>
Delete Comment: http://localhost/simplog/comments.php?op=del&cid=<valid_comment_id>
############
4. TimeLine
############
03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2009 00:00Current
0.2Low risk
Vulners AI Score0.2