------------------------------------------------------------------------- # Software : PloggerGallery Version 1.0 RC1 # Author : Saadat Ullah # Date : 2/3/13 # Dork : Use Ur Mind # Software Link : http://www.plogger.org/download/ ------------------------------------------------------------------------- +---+[ Feedback.php Sqli ]+---+ Injectable On entries_per_pag Parameter In Feedback.php http://localhost/plogger/plog-admin/plog-feedback.php?entries_per_page=5' p0c if (isset($_REQUEST['entries_per_page'])) { $_SESSION['entries_per_page'] = $_REQUEST['entries_per_page']; } else if (!isset($_SESSION['entries_per_page'])) { $_SESSION['entries_per_page'] = 20; } . . . $limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page']; . . // Generate javascript init function for ajax editing $query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit; $result = run_query($query); +---+[ CSRF In Admin Panel ]+---+ Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel.. +---+[ XSS ]+---+ Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin. And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector.. XSS http://localhost/plogger/plog-admin/plog-feedback.php Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF. Uploading the File and enter name to any XSS Vector.. http://localhost/plogger/plog-admin/plog-upload.php It Can Me Exploit IN Many Ways LIke CSRF + SQLI inside Admin panel..which Is define above. XSS In Edit Comment.CSRF + XSS
Edit Comment





Another XSS http://localhost/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1 Edit Caption To XSS Vector Inside Admin PAnel.. Again CSRF + XSS
Edit Image Properties



CSRF Admin Password Reset And XSS plog-options.php
-------------------------------------------------------- # Email - saadi_linux@rocketmail.com # GreeTz 2 All Pakistani Security Researchers # Home - http://security-geeks.blogspot.com ---------------------------------------------------------