PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

2006.07.12
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a free photoblog script designed for posting news & slideshows. http://www.phpblogger.com Attached is the advisory which details the vulnerability. Thanks, OS2A PHP-Blogger Multiple Cross Site Scripting Vulnerabilities OS2A ID: OS2A_1006 Status: 14/06/2006 Issue Discovered 23/06/2006 Reported to the vendor (No response on repeated notification) 07/07/2006 Advisory Released Class: Cross Site Scripting Severity: Medium Overview: --------- PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog. http://www.phpblogger.com Description: ------------ Multiple Cross-site scripting vulnerabilities exist due to input validation errors in parameters like name, title, news, description, sitename etc., in admin/actions.php. Successful exploitation requires authentication. Impact: ------- A remote attacker could inject malicious script code in the victim's browser within the security context of the hosting site and also could steal the victim's cookie-based authentication credentials. Affected Software(s): --------------------- PHP-Blogger 2.2.5 (prior versions may also be vulnerable) Proof of Concept: ----------------- Sample exploits http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p hp?action=new_news Vulnerable fields: Title, News http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p hp?action=new_slideshow Vulnerable fields: Description http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p hp/admin.php?action=preferences http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.p hp?action=install Vulnerable fields: Site name Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit. Analysis: --------- Vulnerable code in admin/actions.php (example snippet) $id = getValue("id"); $title = getValue("title"); $description = getValue("description"); $Post = $Blogger->getPost($id); $folder = $Post->getDir(); $Post->setTitle($title); $Post->setDescription($description); $file = getPostFiles("pic0"); Input passed to many of the parameters in this script are not properly sanitized before being used. CVSS Score Report: ------------------ ACCESS_VECTOR = REMOTE ACCESS_COMPLEXITY = LOW AUTHENTICATION = REQUIRED CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE IMPACT_BIAS = CONFIDENTIALITY EXPLOITABILITY = POC REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C) CVSS Temporal Score = 2.8 Risk factor = Medium Solution: --------- Edit the source code to sanitize the user input values. Credits: -------- Pavithra Hanchagaiah of OS2A has been credited with the discovery of this vulnerability.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top