info ——————————— Name : Post Revolution 0.8.0c Multiple Remote Vulnerabilities Class: Design Error && Input Validation Error CVE: CVE-2011-1952, CVE-2011-1953, CVE-2011-1954 Remote: Yes Local: No Credit : Javier Bassi Vulnerable : All versions prior to and including 0.8.0c are affected. Vendor Hompeage : http://postrev.com.ar description ——————————— Post Revolution is an open source blog tool and publishing platform powered by PHP and MySQL. discussion ——————————— Post Revolution is prone to multiple remote vulnerabilities, including: 1. A Denial of service vulnerability. (CWE-835) (CVE-2011-1952) 2. Persistent Cross-site scripting vulnerabilities. (CWE-79) (CVE-2011-1953) 3. Cross-site request forgery vulnerabilities. (CWE-352) (CVE-2011-1954) An attacker may leverage these issues to cause a denial-of-service condition, perform certain administrative actions, execute arbitrary script code in the browser of an unsuspecting user in the context of the website, steal cookie-based authentication credentials, and gain unauthorized access to the affected application. Post Revolution 0.8.0c is vulnerable. timeline ——————————— 2011.05.22 – Informed developers 2011.05.23 – Patch for issues 1 & 2 released. 2011.06.01 – Disclosed details/pocs ——————————— 1. Denial of Service vulnerability Post Revolution allows some HTML tags in the comments and removes all non-permitted. The vulnerable code is in the lines 456 to 462 in common.php: while(stripos($s,'<') > 0){ $pos[1] = stripos($s,'<'); $pos[2] = stripos($s,'>', $pos[1]); $len[1] = $pos[2] - $pos[1] + 1; $x = substr($s,$pos[1],$len[1]); $s = str_replace($x,'',$s); } This code tries to remove every non-permitted HTML tag. $s is the content of the comment. An attacker could post a comment with just 'a<' and then while(stripos($s,'<') > 0) will always be true because pos[1]=1, pos[2] will be NULL, len[1]=0, then x = NULL so $s will be again 'a<'. This will cause an infinite loop that will end when php kills the script printing: Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/postrev/common.php on line 459 2. Cross-site scripting vulnerabilities. Post Revolution allows the following tags in the comments: p,strong,a,em,i,img,li,ol,video,blockquote and don't sanitize their attributes. So the following XSS vectors work: some text

some text

some text some text some text some text
  1. some text
  1. 1
  2. 2
some text
The same with other events like onclick, onmouseout, onmousemove, onkeydown, etc Also note that the PR doesn't close the tag for you, so its not necesary to get the comment mouseovered by the admin. If the attacker post

some text mouseover event will be triggered when the admin moves the mouse anywhere below attacker's comment. 3. Cross-site request forgery vulnerabitiles. There is CSRF everywhere in ajax-weblog-guardar.php, verpost.php, comments.php, perfil.php, etc. PR 0.8.0c has absolutely no protection against CSRF in any form except for anonymous comments and registration that has a captcha. solution ——————————— You can fix DoS and XSS vulns fast by replacing the whole function check_html in common.php from line 416 to 471 with function check_html($s){ return htmlspecialchars($s); } Users will not be able to format their comments with HTML but Post Revolution already has BBcode so there was no need of HTML in comments in the first place. NO HTML FOR YOU! Fix the CSRFs will require some coding. Vendor has released a patch for issues 1 and 2: postrev.com.ar References ——————- 1. Advisory URL: http://javierb.com.ar/2011/06/01/postrev-vunls/