Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13445
HistoryJul 08, 2006 - 12:00 a.m.

PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

2006-07-0800:00:00
vulners.com
9
JSON

PHP-Blogger Multiple Cross Site Scripting Vulnerabilities

OS2A ID: OS2A_1006 Status:
14/06/2006 Issue Discovered
23/06/2006 Reported to the vendor
(No response on repeated
notification)
07/07/2006 Advisory Released

Class: Cross Site Scripting Severity: Medium

Overview:

PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog.
http://www.phpblogger.com

Description:

Multiple Cross-site scripting vulnerabilities exist due to input validation
errors in parameters like name, title, news, description, sitename etc., in
admin/actions.php.

Successful exploitation requires authentication.

Impact:

A remote attacker could inject malicious script code in the victim's browser
within the security context of the hosting site and also could steal the victim's
cookie-based authentication credentials.

Affected Software(s):

PHP-Blogger 2.2.5 (prior versions may also be vulnerable)

Proof of Concept:

Sample exploits

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_news
Vulnerable fields: Title, News

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_slideshow
Vulnerable fields: Description

http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php/admin.php?action=preferences
http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=install
Vulnerable fields: Site name

Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit.

Analysis:

Vulnerable code in admin/actions.php (example snippet)

$id = getValue("id");
$title = getValue("title");
$description = getValue("description");
$Post = $Blogger->getPost($id);
$folder = $Post->getDir();
$Post->setTitle($title);
$Post->setDescription($description);
$file = getPostFiles("pic0");

Input passed to many of the parameters in this script are not properly sanitized
before being used.

CVSS Score Report:

ACCESS_VECTOR          = REMOTE
ACCESS_COMPLEXITY      = LOW
AUTHENTICATION         = REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT       = PARTIAL
AVAILABILITY_IMPACT    = NONE
IMPACT_BIAS            = CONFIDENTIALITY
EXPLOITABILITY         = POC
REMEDIATION_LEVEL      = UNAVAILABLE
REPORT_CONFIDENCE      = CONFIRMED
CVSS Base Score        = 3.1 &#40;AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C&#41;
CVSS Temporal Score    = 2.8
Risk factor            = Medium

Solution:

Edit the source code to sanitize the user input values.

Credits:

Pavithra Hanchagaiah of OS2A has been credited with the discovery of this
vulnerability.

JSON