Simplog 0.9.3.2 cross site scripting and cross site request forgery

2009-11-18 / 2009-11-19
Credit: Amol Naik
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

################################################################################ Mutliple Vulnerabilities in Simplog v0.9.3.2 Name Multiple vulnerabilities in Simplog Systems Affected Simplog 0.9.3.2 and possibly earlier versions Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download Author Amol Naik (amolnaik4[at]gmail.com) Date 16/11/2009 ################################################################################ ############ 1. OVERVIEW ############ Simplog provides an easy way for users to add blogging capabilities to their existing websites. Simplog is written in PHP and compatible with multiple databases. Simplog also features an RSS/Atom aggregator/reader. ############### 2. DESCRIPTION ############### Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion. ###################### 3. TECHNICAL DETAILS ###################### Summery: (A) Persistent Cross-site Scripting (B) Cross Site Request Forgery (C) Edit/Delete Comments (Bypassing Authorization) (A) Persistent Cross-site Scripting ++++++++++++++++++++++++++++++++++++ Vulnerable page comments.php Vulnerable Parameters cname, email When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs. ++++ POC ++++ Put this in the comment: Name: <script>alert("AMol_NAik")</script> email:"><script>alert("AMol_NAik")</script> (B) Cross Site Request Forgery +++++++++++++++++++++++++++++++ Vulnerable Page user.php This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well. ++++ POC ++++ http://localhost/simplog/user.php?pass1=<new_pass>&pass2=<new_pass>&blogid=<valid_blogid>&act=change For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik". http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change (C) Edit/Delete Comments (Bypassing Authorization) +++++++++++++++++++++++++++++++++++++++++++++++++++ Vulnerable Page comments.php Vulnerable Parameters op, cid The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization. ++++ POC ++++ Edit comment: http://localhost/simplog/comments.php?op=edit&cid=<valid_comment_id> Delete Comment: http://localhost/simplog/comments.php?op=del&cid=<valid_comment_id> ############ 4. TimeLine ############ 03/11/2009 Bug Discovered 03/11/2009 Reported to Vendor 16/11/2009 No response received till the date 16/11/2009 Public Disclosure


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top