Simplog version 0.9.3.2 suffers from cross site scripting and cross site request forgery vulnerabilities.
686e77bda149b90c5d645944c9bd2384b7cf6a98c67742ce60202344b0902e81
################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2
Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################
############
1. OVERVIEW
############
Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.
###############
2. DESCRIPTION
###############
Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.
######################
3. TECHNICAL DETAILS
######################
Summery:
(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)
(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++
Vulnerable page comments.php
Vulnerable Parameters cname, email
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.
++++
POC
++++
Put this in the comment:
Name: <script>alert("AMol_NAik")</script>
email:"><script>alert("AMol_NAik")</script>
(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++
Vulnerable Page user.php
This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.
++++
POC
++++
http://localhost/simplog/user.php?pass1=<new_pass>&pass2=<new_pass>&blogid=<valid_blogid>&act=change
For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".
http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change
(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerable Page comments.php
Vulnerable Parameters op, cid
The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.
++++
POC
++++
Edit comment: http://localhost/simplog/comments.php?op=edit&cid=<valid_comment_id>
Delete Comment: http://localhost/simplog/comments.php?op=del&cid=<valid_comment_id>
############
4. TimeLine
############
03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed