File 1: oCERT-2011-001 File 2: JAHx113.txt ================================================== #2011-001 Chyrp input sanitization errors Description: The Chyrp framework, an open source blogging engine, suffers from cross-site scripting (XSS) and local file inclusion (LFI) vulnerabilities. Insufficient input sanitization on the parameters passed to pages related to administration settings, the javascript handler and the index handler leads to arbitrary javascript injection in the context of the user session. This could be potentially exploited to hijack the session of the administrator. Insufficient path sanitization on the root 'action' query string parameter leads to inclusion of arbitrary files from local sources, this could be exploited to read arbitrary accessible files on the hosting server filesystem and potentially execute arbitrary commands or code. Affected version: Chyrp <= 2.1 Fixed version: Chyrp, N/A Credit: vulnerability report and PoC code received from Eldar Marcussen . CVE: N/A Timeline: 2011-05-17: vulnerability report received 2010-05-17: contacted chyrp maintainers 2010-07-13: oCERT advisory published jointly with reporter advisory References: http://www.justanotherhacker.com/advisories/JAHx113.txt Permalink: http://www.ocert.org/advisories/ocert-2011-001.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate" ================================================== -------------------------------------------------------------------------------------------- 20110713 - Justanotherhacker.com : Chyrp - Multiple vulnerabilties JAHx113 - http://www.justanotherhacker.com/advisories/JAHx113.txt -------------------------------------------------------------------------------------------- Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It is powered by PHP and has very powerful theme and extension engines, so you can personalize it however you want. The code is well-documented, and it has a very strong structure that's loosely based on the MVC design pattern [ Taken from: http://chyrp.net ] --- Vulnerability description --- The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions. Discovered by: Eldar "Wireghoul" Marcussen Type: Multiple Severity: High Release: Responsible, via oCERT CVE: Not yet assigned Vendor: chyrp.net Affected versions: <= 2.1 --- Cross site scripting --- The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting. Exploit: http://domain/path/admin/?action=[XSS] http://domain/path/includes/javascript.php?action=[XSS] PoC: The javascript.php xss can also be invoked through rewrite rules using the following querystring - http://domain/path/?%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E;url=blah --- Cross site scripting --- The title and body parameters are not initialized in the admin/help.php file resulting in cross site scripting if register globals is on. Exploit: http://domain/path/admin/help.php?title=[XSS]&body=[XSS] --- Local file inclusion --- The action parameter is not sufficiently filtered and vulnerable to local file inclusion. Exploit: http://domain/path/?action=[LFI] PoC: http://domain/path/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00 --- Directory traversal --- The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0. This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0 will result in a false negative. Exploit: http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../[PATH] PoC: http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd http://domain/path/includes/lib/gz.php?file=/themes/../includes/config.yaml.php --- Arbitrary file upload --- Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page using firebug or via intercepting proxy to allow *.php upload. A direct POST to http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier. PoC: Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy --- Solution --- Upgrade to version 2.1.1 --- Disclosure time line --- 13-Jul-2011 - Public disclosure 17-May-2011 - Vendor notified 17-May-2011 - oCERT notified