################################################################################ Mutliple Vulnerabilities in Simplog v0.9.3.2 Name Multiple vulnerabilities in Simplog Systems Affected Simplog 0.9.3.2 and possibly earlier versions Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download Author Amol Naik (amolnaik4[at]gmail.com) Date 16/11/2009 ################################################################################ ############ 1. OVERVIEW ############ Simplog provides an easy way for users to add blogging capabilities to their existing websites. Simplog is written in PHP and compatible with multiple databases. Simplog also features an RSS/Atom aggregator/reader. ############### 2. DESCRIPTION ############### Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion. ###################### 3. TECHNICAL DETAILS ###################### Summery: (A) Persistent Cross-site Scripting (B) Cross Site Request Forgery (C) Edit/Delete Comments (Bypassing Authorization) (A) Persistent Cross-site Scripting ++++++++++++++++++++++++++++++++++++ Vulnerable page comments.php Vulnerable Parameters cname, email When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs. ++++ POC ++++ Put this in the comment: Name: email:"> (B) Cross Site Request Forgery +++++++++++++++++++++++++++++++ Vulnerable Page user.php This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well. ++++ POC ++++ http://localhost/simplog/user.php?pass1=&pass2=&blogid=&act=change For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik". http://localhost/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change (C) Edit/Delete Comments (Bypassing Authorization) +++++++++++++++++++++++++++++++++++++++++++++++++++ Vulnerable Page comments.php Vulnerable Parameters op, cid The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization. ++++ POC ++++ Edit comment: http://localhost/simplog/comments.php?op=edit&cid= Delete Comment: http://localhost/simplog/comments.php?op=del&cid= ############ 4. TimeLine ############ 03/11/2009 Bug Discovered 03/11/2009 Reported to Vendor 16/11/2009 No response received till the date 16/11/2009 Public Disclosure