Multiple Cross Site Scripting Vulnerabilities exist in PHP-Blogger, a free photoblog script designed for posting news & slideshows. http://www.phpblogger.com Attached is the advisory which details the vulnerability. Thanks, OS2A
PHP-Blogger Multiple Cross Site Scripting Vulnerabilities OS2A ID: OS2A_1006 Status: 14/06/2006 Issue Discovered 23/06/2006 Reported to the vendor (No response on repeated notification) 07/07/2006 Advisory Released Class: Cross Site Scripting Severity: Medium Overview: --------- PHP-Blogger is a free php script for creating a personal weblog (blog) or photoblog. http://www.phpblogger.com Description: ------------ Multiple Cross-site scripting vulnerabilities exist due to input validation errors in parameters like name, title, news, description, sitename etc., in admin/actions.php. Successful exploitation requires authentication. Impact: ------- A remote attacker could inject malicious script code in the victim's browser within the security context of the hosting site and also could steal the victim's cookie-based authentication credentials. Affected Software(s): --------------------- PHP-Blogger 2.2.5 (prior versions may also be vulnerable) Proof of Concept: ----------------- Sample exploits http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_news Vulnerable fields: Title, News http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=new_slideshow Vulnerable fields: Description http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php/admin.php?action=preferences http://www.yoursite.com/directory_where_you_installed_phpblogger/admin.php?action=install Vulnerable fields: Site name Insert "<script>alert('XSS Vulnerable');</script>" in above fields to try the the exploit. Analysis: --------- Vulnerable code in admin/actions.php (example snippet) $id = getValue("id"); $title = getValue("title"); $description = getValue("description"); $Post = $Blogger->getPost($id); $folder = $Post->getDir(); $Post->setTitle($title); $Post->setDescription($description); $file = getPostFiles("pic0"); Input passed to many of the parameters in this script are not properly sanitized before being used. CVSS Score Report: ------------------ ACCESS_VECTOR = REMOTE ACCESS_COMPLEXITY = LOW AUTHENTICATION = REQUIRED CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE IMPACT_BIAS = CONFIDENTIALITY EXPLOITABILITY = POC REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:C) CVSS Temporal Score = 2.8 Risk factor = Medium Solution: --------- Edit the source code to sanitize the user input values. Credits: -------- Pavithra Hanchagaiah of OS2A has been credited with the discovery of this vulnerability.
